# Building my own 802.1AR CA by openssl 1.0.2k # Write by Robert G. Moskowitz, HTT Consulting, LLC # 2017-08-21 # https://jamielinux.com/docs/openssl-certificate-authority/introduction.html # with ECDSA help from: # https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations # ToDo - CRL OCSP # PEM password = testca export dir=$cadir/8021ARintermediate sn=8 # hex 8 is minimum, 19 is maximum # This uses the same root Ca as in pki-ecdsa-steps.txt # Intermediate (Signing) CA mkdir $dir cd $dir mkdir certs crl csr newcerts private chmod 700 private touch index.txt openssl rand -hex $sn > $dir/serial echo 1000 > $dir/crlnumber wget http://www.htt-consult.com/pki/openssl-8021AR.cnf # For added security while using openssl consider: # restore_mask=$(umask -p) # umask 077 # then afterwards restore umask # $restore_mask # cd $dir countryName="/C=US" stateOrProvinceName="/ST=MI" localityName="/L=Oak Park" organizationName="/O=HTT Consulting" organizationalUnitName="/OU=Devices" #organizationalUnitName= commonName="/CN=802.1AR CA" DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName echo $DN export subjectAltName=email:postmaster@htt-consult.com echo $subjectAltName openssl genpkey -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out $dir/private/8021ARintermediate.key.pem chmod 400 $dir/private/8021ARintermediate.key.pem openssl pkey -in $dir/private/8021ARintermediate.key.pem -text -noout openssl req -config $cadir/openssl-root.cnf -key $dir/private/8021ARintermediate.key.pem \ -subj "$DN" -new -sha256 -out $dir/csr/8021ARintermediate.csr.pem openssl req -text -noout -verify -in $dir/csr/8021ARintermediate.csr.pem openssl rand -hex $sn > $dir/serial # hex 8 is minimum, 19 is maximum openssl ca -config $cadir/openssl-root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 \ -in $dir/csr/8021ARintermediate.csr.pem -out $dir/certs/8021ARintermediate.cert.pem chmod 444 $dir/certs/8021ARintermediate.cert.pem openssl verify -CAfile $cadir/certs/ca.cert.pem $dir/certs/8021ARintermediate.cert.pem openssl x509 -noout -text -in $dir/certs/8021ARintermediate.cert.pem cat $dir/certs/8021ARintermediate.cert.pem $cadir/certs/ca.cert.pem > $dir/certs/ca-8021ARchain.cert.pem chmod 444 $dir/certs/ca-8021ARchain.cert.pem # 802.1AR Cert # cd $dir DevID=Wt1234 countryName= stateOrProvinceName= localityName= organizationName="/O=HTT Consulting" organizationalUnitName="/OU=Devices" commonName= serialNumber="/serialNumber=$DevID" DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName$serialNumber echo $DN export hwType=1.3.6.1.4.1.6715.10.1 # HTT Consulting, devices, sensor widgets export hwSerialNum=01020304 # Some hex echo $hwType - $hwSerialNum openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out $dir/private/$DevID.key.pem chmod 400 $dir/private/$DevID.key.pem openssl pkey -in $dir/private/$DevID.key.pem -text -noout openssl req -config $dir/openssl-8021AR.cnf -key $dir/private/$DevID.key.pem \ -subj "$DN" -new -sha256 -out $dir/csr/$DevID.csr.pem openssl req -text -noout -verify -in $dir/csr/$DevID.csr.pem openssl asn1parse -i -in $dir/csr/$DevID.csr.pem # offset of start of hardwareModuleName and use that in place of 189 openssl asn1parse -i -strparse 189 -in $dir/csr/$DevID.csr.pem openssl rand -hex $sn > $dir/serial # hex 8 is minimum, 19 is maximum openssl ca -config $dir/openssl-8021AR.cnf -extensions 8021ar_idevid -notext -md sha256 \ -in $dir/csr/$DevID.csr.pem -out $dir/certs/$DevID.cert.pem chmod 444 $dir/certs/$DevID.cert.pem openssl verify -CAfile $dir/certs/ca-8021ARchain.cert.pem $dir/certs/$DevID.cert.pem openssl x509 -noout -text -in $dir/certs/$DevID.cert.pem openssl asn1parse -i -in $dir/certs/$DevID.cert.pem # offset of start of hardwareModuleName and use that in place of 494 openssl asn1parse -i -strparse 494 -in $dir/certs/$DevID.cert.pem