Difference between revisions of "PKI 10.9 Certificate Transparency"

From Dogtag
Jump to: navigation, search
(Configuration)
 
Line 14: Line 14:
 
           will carry SCT extension
 
           will carry SCT extension
 
             SignedCertificateTimestampListExtDefaultImpl
 
             SignedCertificateTimestampListExtDefaultImpl
  default is true
+
  default is disabled
 
  if unknown mode then error will be thrown.
 
  if unknown mode then error will be thrown.
  

Latest revision as of 23:24, 31 July 2020

A basic version of Certificate Transparency (CT) V1 support (rfc 6962) is offered in this release. It has the capability of issuing certificates with embedded Signed Certificate Time stamps (SCTs) from any trusted log where each deployment site chooses to have its root CA cert included. The system can also be configured to support multiple CT logs. Minimum of one trusted CT log is required for this feature to work.

Setup

For testing purposes, one could setup a PKI CA while follow the procedure documented under "test Logs" of http://www.certificate-transparency.org/known-logs to have your test root added to the Google Testtube.

The rest of this document assumes that you already set up your root CA with all your desired CT log servers.

Configuration

 There are three Certificate Transparency modes:
     disabled: issued certs will not carry SCT extension
     enabled: issued certs will carry SCT extension
     perProfile: certs enrolled through those profiles
         that contain the following policyset
         will carry SCT extension
            SignedCertificateTimestampListExtDefaultImpl
default is disabled
if unknown mode then error will be thrown.

Here is a quick example on how to set up with 3 test CT logs where only two of them are enabled:

Add the following in CA’s CS.cfg:

ca.certTransparency.mode=enabled
ca.certTransparency.log.1.enable=true
ca.certTransparency.log.1.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw8i8S7qiGEs9NXv0ZJFh6uuOmR2Q7dPprzk9XNNGkUXjzqx2SDvRfiwKYwBljfWujozHESVPQyydGaHhkaSz/g==
ca.certTransparency.log.1.url=http://ct.googleapis.com:80/testtube/
ca.certTransparency.log.1.version=1
ca.certTransparency.log.2.enable=true
ca.certTransparency.log.2.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKATl2B3SAbxyzGOfNRB+AytNTGvdF/FFY6HzWb+/HPE4lJ37vx2nEm99KYUy9SoNzF5VyTwCQG5nL/c5Q77yQQ==
ca.certTransparency.log.2.url=http://ct.googleapis.com:80/logs/crucible/
ca.certTransparency.log.2.version=1
ca.certTransparency.log.3.enable=false
ca.certTransparency.log.3.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiKfWtuoWCPMEzSKySjMjXpo38WOdZr6Yq0WYa2JQOv1uVMxkqHywf9Gz1kGeRLq/Rz3tVVvXgqb4jQ1UqKVKnw==
ca.certTransparency.log.3.url=http://ct.googleapis.com:80/logs/solera2020/
ca.certTransparency.log.3.version=1
ca.certTransparency.log.num=3

Restart the CA

Quick Test

A more comprehensive test procedure would involve setting up a TLS server and test for its cert's inclusion from it's specified CT logs. However, the following is a quick test method that I conduct during development just to test for inclusion of the SCT extension.

  • Generate a CSR: e.g.
    • PKCS10Client -d . -p passwd -l 2048 -n "cn=ladycfu.test.redhat.com,OU=ladycfu-TEST,O=TestDomain" -o pkcs10-TLS.req
  • Submit the CSR to an enrollment profile depending on the CT mode in CS.cfg:
    • if (ca.certTransparency.mode=enabled)
      • use any enrollment profile
    • if (ca.certTransparency.mode=perProfile)
      • using one of the CT profiles: e.g.
        • caServerCertWithSCT
  • Verify the SCT extension using openssl:
    • Copy the issued b64 cert into a file. E.g. ct1.pem
    • Convert the pem to binary: AtoB ct1.pem ct1.bin
    • openssl x509 -noout -text -inform der -in ct1.bin
      • Observe that the SCT extension is present. E.g.
           CT Precertificate SCTs:  
               Signed Certificate Timestamp:
                   Version   : v1 (0x0)
                   Log ID    : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
                               2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77
                   Timestamp : Jun 11 23:07:14.146 2020 GMT
                   Extensions: none
                   Signature : ecdsa-with-SHA256
                               30:44:02:20:6E:E7:DC:D6:6B:A6:43:E3:BB:8E:1D:28:
                               63:C6:6B:03:43:4E:7A:90:0F:D6:2B:E8:ED:55:1D:5F:
                               86:0C:5A:CE:02:20:53:EB:75:FA:75:54:9C:9F:D3:7A:
                               D4:E7:C6:6C:9B:33:2A:75:D8:AB:DE:7D:B9:FA:2B:19:
                               56:22:BB:EF:19:AD
               Signed Certificate Timestamp:
                   Version   : v1 (0x0)
                   Log ID    : C3:BF:03:A7:E1:CA:88:41:C6:07:BA:E3:FF:42:70:FC:
                               A5:EC:45:B1:86:EB:BE:4E:2C:F3:FC:77:86:30:F5:F6
                   Timestamp : Jun 11 23:07:14.516 2020 GMT
                   Extensions: none
                   Signature : ecdsa-with-SHA256
                               30:44:02:20:4A:C9:4D:EF:64:02:A7:69:FF:34:4E:41:
                               F4:87:E1:6D:67:B9:07:14:E6:01:47:C2:0A:72:88:7A:
                               A9:C3:9C:90:02:20:31:26:15:75:60:1E:E2:C0:A3:C2:
                               ED:CF:22:A0:3B:A4:10:86:D1:C1:A3:7F:68:CC:1A:DD:
                               6A:5E:10:B2:F1:8F

Or I could do asn1 dump like this: openssl asn1parse -i -inform der -in ct1.bin, and observe the hex dump. E.g.

  740:d=4  hl=4 l= 258 cons:     SEQUENCE           
  744:d=5  hl=2 l=  10 prim:      OBJECT            :CT Precertificate SCTs
  756:d=5  hl=3 l= 243 prim:      OCTET STRING      [HEX DUMP]:0481F000EE007500B0CC83E5A5F97D6BAF7C09CC284904872AC7E88B132C6350B7C6FD26E16C6C7700000172A5A32D62000004030046304402206EE7DCD66BA643E3BB8E1D2863C66B03434E7A900FD62BE8ED551D5F860C5ACE022053EB75FA75549C9FD37AD4E7C66C9B332A75D8ABDE7DB9FA2B195622BBEF19AD007500C3BF03A7E1CA8841C607BAE3FF4270FCA5EC45B186EBBE4E2CF3FC778630F5F600000172A5A32ED4000004030046304402204AC94DEF6402A769FF344E41F487E16D67B90714E60147C20A72887AA9C39C90022031261575601EE2C0A3C2EDCF22A03BA41086D1C1A37F68CC1ADD6A5E10B2F18F

See Also