ACME Certificate

From Dogtag
Jump to: navigation, search

Overview

This page provides an example of a certificate issued by Let's Encrypt.

Server Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:2a:62:d5:cd:d2:61:90:09:ee:f2:bf:ce:96:6b:cf:f8:27
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jul 17 05:01:37 2019 GMT
            Not After : Oct 15 05:01:37 2019 GMT
        Subject: CN=pki.demo.dogtagpki.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c2:da:0d:54:32:f0:ae:ab:a1:05:79:9e:0e:59:
                    65:32:f9:54:7b:c2:e0:52:86:51:fe:c7:e7:2a:8b:
                    dc:c6:ac:96:28:ce:ca:03:79:26:0c:95:7d:08:34:
                    b3:55:ea:ea:b9:a1:8f:95:32:a0:b4:92:85:dc:c3:
                    ef:c9:af:00:f5:62:50:8b:7a:b8:fb:41:1b:7e:56:
                    d6:e1:04:7a:59:3b:51:78:2c:07:9d:c2:c0:8d:61:
                    e6:89:3e:e9:cd:60:f5:c8:da:41:18:16:e8:21:7e:
                    ce:c7:a7:1f:f8:1d:ab:01:21:8d:eb:28:a4:5f:7e:
                    21:c7:0f:c0:91:4e:64:1f:c7:cf:48:04:5d:85:14:
                    32:38:36:d6:b3:59:8b:79:03:36:c9:67:16:cf:a5:
                    6f:ad:69:4a:76:1e:ab:16:53:58:45:fa:fc:18:3b:
                    da:7b:18:f8:6d:9a:17:3c:66:36:bc:49:d5:b5:5e:
                    f6:89:41:b7:9f:4e:9c:3b:b1:db:91:57:a7:48:a5:
                    b6:fe:22:57:65:dd:f1:f6:27:30:77:e5:a1:21:00:
                    71:17:44:af:0d:a2:0a:27:fe:fe:f7:d1:31:ce:7a:
                    14:a2:eb:71:c9:41:ff:42:55:ed:93:f4:20:a6:25:
                    6c:83:2e:9c:9e:85:e4:85:b6:12:d7:46:22:3c:cc:
                    64:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                5D:72:EC:0D:35:E5:75:C3:11:4A:B4:A9:B5:B8:77:1C:95:DF:A6:12
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:pki.demo.dogtagpki.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Jul 17 06:01:37.372 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:DA:A6:E6:3D:6C:92:85:C6:35:13:FB:
                                16:8E:98:6B:A2:2E:5C:44:EB:14:68:A6:01:67:89:1C:
                                3C:FF:7E:45:8C:02:21:00:CD:2C:1C:07:CF:9F:20:93:
                                64:48:A0:75:3C:B4:80:04:90:86:F2:E8:2D:D9:F6:E4:
                                2C:17:1C:1D:FC:F4:DE:19
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Jul 17 06:01:37.853 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:73:AE:DC:2F:42:98:5C:25:02:46:63:B1:
                                0C:C5:F3:CF:58:4B:83:41:86:55:CF:98:47:8E:D3:77:
                                D8:53:BD:40:02:21:00:D8:69:39:85:3A:FF:47:B6:89:
                                21:EA:48:B4:DA:9D:F5:A6:4F:B2:DF:AD:DF:BE:74:C9:
                                6A:BA:0C:FC:0D:13:BC
    Signature Algorithm: sha256WithRSAEncryption
         32:22:c9:01:fa:17:0c:c2:7b:b5:95:a5:90:70:fb:b1:f2:34:
         c5:65:73:d7:05:a1:66:29:38:01:79:83:c5:7f:29:d7:99:a1:
         92:80:53:59:d9:c5:d4:bb:ea:5c:fd:55:63:05:2c:da:35:41:
         60:20:43:ae:e4:07:7b:d4:4a:a5:12:ea:68:98:d4:91:4e:b5:
         0a:8e:35:f0:5c:4d:0e:1b:60:79:3e:9d:20:7b:f0:87:75:53:
         37:6e:ea:04:76:bc:40:61:2c:57:b7:0a:ce:c2:eb:79:f5:72:
         41:f6:87:14:31:fc:03:85:d0:23:a9:3f:99:1d:4e:42:8a:f0:
         89:23:30:51:83:08:cc:e4:2f:2b:91:18:0f:b7:fb:27:48:07:
         0d:5b:b6:55:27:eb:16:52:66:6b:07:ff:33:e9:1e:f1:56:f6:
         44:de:19:18:05:4b:c4:d1:fe:eb:f6:79:a1:45:19:4d:52:a2:
         67:ae:4a:b2:b3:38:b3:a1:f5:6a:8d:a3:48:78:fe:c8:b6:a6:
         ef:a0:ef:f5:34:40:b2:4c:e9:ca:e4:1b:7d:e8:43:ae:0a:7c:
         e2:02:68:70:f8:0b:24:8c:29:c9:b0:f1:db:4f:c1:84:a4:7c:
         7c:0c:0a:fb:ed:34:ca:59:77:5e:7c:ed:fc:da:42:ff:51:8b:
         1e:54:fd:5a

To issue a server certificate with NSS:

$ BASIC_CONST_EXT="\n\ny\n"
$ AKID_EXT="y\n${AKID}\n\n\n\n"
$ SKID_EXT="${SKID}\n\n"
$ AIA_EXT="2\n7\nhttp://ocsp.int-x3.letsencrypt.org\n\ny\n1\n7\nhttp://cert.int-x3.letsencrypt.org/\n\n\n\n"
$ CP_EXT="2.23.140.1.2.1\n\ny\n1.3.6.1.4.1.44947.1.1.1\n1\nhttp://cps.letsencrypt.org\n\n\n\n"
$ echo -e "${BASIC_CONST_EXT}${AKID_EXT}${SKID_EXT}${AIA_EXT}${CP_EXT}" | \
 certutil -C \
 -d nssdb \
 -f password.txt \
 -m $RANDOM \
 -a \
 -i sslserver.csr \
 -o sslserver.crt \
 -c "ca_signing" \
 -2 \
 -3 \
 --extSKID \
 --extAIA \
 --extCP \
 --extSAN dns:pki.demo.dogtagpki.org \
 --keyUsage critical,digitalSignature,keyEncipherment \
 --extKeyUsage serverAuth,clientAuth

CA Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
        Validity
            Not Before: Mar 17 16:40:46 2016 GMT
            Not After : Mar 17 16:40:46 2021 GMT
        Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
                    68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
                    92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
                    2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
                    79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
                    0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
                    77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
                    ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
                    fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
                    7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
                    fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
                    ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
                    80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
                    25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
                    a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
                    2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
                    0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
                    c3:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Authority Information Access: 
                OCSP - URI:http://isrg.trustid.ocsp.identrust.com
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
    Signature Algorithm: sha256WithRSAEncryption
         dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
         70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
         24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
         cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
         6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
         c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
         e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
         2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
         fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
         5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
         1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
         fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
         4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
         28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
         34:5b:b4:42

See Also