Kyle J. McKay [Sun, 3 Dec 2017 23:57:43 +0000 (3 15:57 -0800)]
CACreateCert: support --request and --utf8
With --request output a Certificate Signing Request instead of an
X.509 certificate.
With --utf8 always use UTF8String to encode strings that would
otherwise be encoded as PrintableString and are allowed to alternatively
be encoded as UTF8String.
Note that it may be necessary to use both the --no-extensions and
--utf8 options to generate a byte-exact match for `openssl req -new`
output.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 28 Nov 2017 01:48:33 +0000 (27 17:48 -0800)]
CACreateCert: allow use of --randome with non-root certs
There's no reason to disallow use of --random with non-root
certificates. By combining --random with an explicit --dni
"serialNumber=#" any number of unique certificates can readily be
generated of any type from a template that will all end up having
unique subject distinguised names.
It would, of course, also be possible to do this by simply incrementing
a counter and embedding that. But, by using the --random plus --dni
"serialNumber=#" system, multiple discreet systems can be reasonably
assured of generating unique certificate subject distinguished names
from the same template with no mutual coordination required between
them to avoid subject distinguished name collisions.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 30 May 2017 23:02:23 +0000 (30 16:02 -0700)]
CACreateCert: update, clarify and enhance text
Elaborate on value assigned to the notAfter field, mention
the "req -pubkey" command and provide tips on dealing with CSRs.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 30 May 2017 07:55:02 +0000 (30 00:55 -0700)]
CACreateCert: calm the whirlpool a bit
A message on the OpenSSL mailing list had suggested using an
unofficial OID as a "whirlpoolWithRSAEncryption" OID.
http://openssl.6102.n7.nabble.com/Creating-a-x509-request-with-Whirlpool-td27209.html#message27213o
That unofficial OID has since been officially assigned by
RFC 8017 to something else.
The whirlpool hash algorithm identifier is officially declared
as 1.0.10118.3.0.55 in RFC 6931 section 2.3.8. However that
section is actually titled "RSA-Whirlpool" and the section is
fairly clear that the only valid encryption method to be used
with whirlpool is RSA. Therefore using the same OID for both the
hash algorithm and signature algorithm OIDs should be clear and
unambiguous. Like mud.
Update the signature algorithm OID used for RSA-Whirlpool to be
the same as the OID used for the whirlpool hash algorithm (the
officially assigned 1.0.10118.3.0.55 "whirlpool" value) and change
the warning text and bug text appropriately in order to stop using
or referencing the unofficial OID that is now officially something
else. Also add constants for two new RSA hash+encryption OIDs
(from RFC 8017), but do not include an implementation as there
doesn't yet seem to be any "openssl" option to generate them.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 30 May 2017 07:09:42 +0000 (30 00:09 -0700)]
CACreateCert: correct wording about self-signed combo certs
It's still mumbo jumbo, but at least it's not a sentence
fragment anymore.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 16 May 2017 13:12:23 +0000 (16 06:12 -0700)]
CACreateCert: remove "OfIncorporation" from EV subject OIDs
The EV certificate guidelines version 1.4.6 adopted and effective
2014-03-24 removed the "OfIncorporation" part from the OID
name.
Include the new shorter names while keeping the old ones as
aliases.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Mon, 9 Jan 2017 12:38:27 +0000 (9 04:38 -0800)]
CACreateCert: mention openssl -x509toreq in TIPS
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Fri, 6 Jan 2017 11:13:19 +0000 (6 03:13 -0800)]
CACreateCert: improve features for use with --email
Mention in the README that CACreateCert can create perfectly usable
S/MIME email signing/encryption certificates. Also mention that an
example of how to do so is now part of the `CACreateCert --help`
output.
Also make it possible to move the location of the emailAddress
component of the subject distinguished name to anywhere in the
subject distinguished name if desired.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Thu, 27 Oct 2016 21:41:19 +0000 (27 14:41 -0700)]
ConvertPubKey: tolerate any $PATH location for perl
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Thu, 28 Apr 2016 08:55:30 +0000 (28 01:55 -0700)]
CACreateCert: support LibreSSL's openssl command
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Kyle J. McKay [Tue, 10 Feb 2015 07:21:18 +0000 (9 23:21 -0800)]
README: add some headings and .md alias
Kyle J. McKay [Tue, 10 Feb 2015 02:52:14 +0000 (9 18:52 -0800)]
CACreateCert: let --dni serial=# relocate the random serial number
Kyle J. McKay [Tue, 10 Feb 2015 02:00:32 +0000 (9 18:00 -0800)]
CACreateCert: Acme Certificate Co.
See --acme option.
Kyle J. McKay [Tue, 10 Feb 2015 00:15:34 +0000 (9 16:15 -0800)]
CACreateCert: add support for including arbitrary distinguished name information
New --dni option that can read data from a file if desired.
Kyle J. McKay [Thu, 5 Feb 2015 07:54:20 +0000 (4 23:54 -0800)]
CACreateCert: various minor cleanups and elucidations
Kyle J. McKay [Sun, 30 Nov 2014 23:53:03 +0000 (30 15:53 -0800)]
CACreateCert: add some additional explanatory comments
Kyle J. McKay [Sun, 9 Nov 2014 00:50:25 +0000 (8 16:50 -0800)]
CACreateCert: add some warning text about --dns usage
Kyle J. McKay [Sat, 8 Nov 2014 03:06:08 +0000 (7 19:06 -0800)]
CACreateCert: never default to less than sha-256 if SHA-2 available
Kyle J. McKay [Thu, 6 Nov 2014 22:55:39 +0000 (6 14:55 -0800)]
CACreateCert: tweak the documentation a bit
Kyle J. McKay [Sun, 2 Nov 2014 10:26:41 +0000 (2 02:26 -0800)]
CACreateCert: make --root + --other-type do the right thing
When combining --root with one other type, make sure the correct
name type is chosen and the correct key usage bits are set.
Kyle J. McKay [Sun, 2 Nov 2014 07:24:05 +0000 (2 00:24 -0700)]
CACreateCert: add support for --dns option
Using the --dns option altarnative names for --server
certificates can be added.
Kyle J. McKay [Sun, 2 Nov 2014 01:50:44 +0000 (1 18:50 -0700)]
CACreateCert: choose a stronger default hash for longer keys
If the public key or signing key has a security strength of more
than 128 bits then sha-256 is not appropriate as a default hash
as it has only 128 bits of security strength. Choose a stronger
hash as the default hash in this case and warn if it's not
available.
Kyle J. McKay [Sun, 2 Nov 2014 01:41:46 +0000 (1 18:41 -0700)]
ConvertPubKey: fine tune compute_rsadsa_strength
Kyle J. McKay [Tue, 28 Oct 2014 21:21:09 +0000 (28 14:21 -0700)]
ConvertPubKey: include secstrength in verbose output
Include the estimated security bit strength of the key
in the output. These are taken from part 1 of NIST
special publication 800-57. Where an exact match is
not available, an approximation is shown.
Kyle J. McKay [Mon, 30 Dec 2013 11:32:38 +0000 (30 03:32 -0800)]
CACreateCert: fix typo in help
Kyle J. McKay [Sun, 1 Dec 2013 02:46:41 +0000 (30 18:46 -0800)]
Examples.html: correct some wording
Kyle J. McKay [Tue, 10 Sep 2013 16:01:08 +0000 (10 09:01 -0700)]
ConvertPubKey: show DSA prime divisor bit size
When in verbose mode (e.g. --verbose and/or --check), show the size of
the DSA prime divisor (q) in bits. Additionally emit warnings about this
size consistent with NIST 800-57 recommendations if it's too small.
Kyle J. McKay [Tue, 10 Sep 2013 14:52:47 +0000 (10 07:52 -0700)]
Remove incorrect option aliases
CACreateCert: -c is not an alias for --in, --out or --suffix so remove it
ConvertPubKey: -c is not an alias for --in or --out so remove it
ConvertPubKey: --infile and --outfile should not be recognized options,
change them to the correct --in and --out which were
already working properly as unambiguous abbreviations
Kyle J. McKay [Thu, 4 Jul 2013 02:51:30 +0000 (3 19:51 -0700)]
CACreateCert: add support for --dnq to add a dnQualifier
Kyle J. McKay [Wed, 3 Jul 2013 22:32:21 +0000 (3 15:32 -0700)]
CACreateCert: allow multiple --suffix options
Kyle J. McKay [Thu, 20 Jun 2013 05:36:56 +0000 (19 22:36 -0700)]
ConvertPubKey: Add hint comment to locate help
Kyle J. McKay [Tue, 11 Jun 2013 17:56:00 +0000 (11 10:56 -0700)]
Remove some ConvertPubKey debugging code
Kyle J. McKay [Tue, 11 Jun 2013 17:50:28 +0000 (11 10:50 -0700)]
New ConvertPubKey utility
Kyle J. McKay [Tue, 11 Jun 2013 16:58:55 +0000 (11 09:58 -0700)]
CACreateCert: Fix undefined infilename variable when showing errors
Kyle J. McKay [Thu, 16 May 2013 01:08:26 +0000 (15 18:08 -0700)]
Switch from UTF-8 to ISO-8859-1 so it works with dumb servers
Kyle J. McKay [Tue, 14 May 2013 03:47:11 +0000 (13 20:47 -0700)]
Add support for --suffix option
Kyle J. McKay [Sat, 11 May 2013 12:02:12 +0000 (11 05:02 -0700)]
Add support for --in and --out options
Kyle J. McKay [Fri, 10 May 2013 16:19:04 +0000 (10 09:19 -0700)]
Add a README.txt file
Kyle J. McKay [Fri, 10 May 2013 16:05:42 +0000 (10 09:05 -0700)]
Add an Examples.html page
Kyle J. McKay [Tue, 7 May 2013 16:30:56 +0000 (7 09:30 -0700)]
Prefer /dev/urandom over /dev/random if it exists
Kyle J. McKay [Tue, 7 May 2013 16:26:38 +0000 (7 09:26 -0700)]
Add some license text to version output
Kyle J. McKay [Tue, 7 May 2013 16:21:23 +0000 (7 09:21 -0700)]
Make --random the default for --root and support --no-random
Kyle J. McKay [Tue, 7 May 2013 16:10:01 +0000 (7 09:10 -0700)]
Add a license
Kyle J. McKay [Thu, 28 Mar 2013 12:52:17 +0000 (28 05:52 -0700)]
Make CACreateCertClient the only tool since it does it all
Kyle J. McKay [Thu, 28 Mar 2013 12:51:27 +0000 (28 05:51 -0700)]
Extensive --help updates
Kyle J. McKay [Thu, 28 Mar 2013 12:15:31 +0000 (28 05:15 -0700)]
Make --applecodesign use CN instead of userId
Kyle J. McKay [Thu, 28 Mar 2013 12:12:46 +0000 (28 05:12 -0700)]
Auto detect when --pubx509 option needed
Kyle J. McKay [Thu, 28 Mar 2013 11:17:52 +0000 (28 04:17 -0700)]
Fix incorrect unpack calls in GetCertInfo
Kyle J. McKay [Fri, 7 Sep 2012 00:26:38 +0000 (7 00:26 +0000)]
CACreateCertClient: fix description grammo
Kyle J. McKay [Sun, 30 Oct 2011 20:18:42 +0000 (30 20:18 +0000)]
Add --rootauth and --authext to optionally restore authority key id for root and serial number/directory name for non-root authority key id
Kyle J. McKay [Wed, 26 Oct 2011 20:03:59 +0000 (26 20:03 +0000)]
Support new --applecodesign, --client and --pathlen= options. Always allow zero or more extended key usage. Omit authority key id for root. Always omit authority key dirname and serial number.
Kyle J. McKay [Wed, 26 Oct 2011 18:09:19 +0000 (26 18:09 +0000)]
Make Xcode Perl parser behave
Kyle J. McKay [Wed, 21 Sep 2011 01:32:47 +0000 (21 01:32 +0000)]
More extensions fiddling
Kyle J. McKay [Tue, 20 Sep 2011 16:11:04 +0000 (20 16:11 +0000)]
Yet even more capabilities added
Kyle J. McKay [Sun, 18 Sep 2011 04:32:57 +0000 (18 04:32 +0000)]
Correct value encoded for authorityCertIssuer
Kyle J. McKay [Sun, 18 Sep 2011 03:09:56 +0000 (18 03:09 +0000)]
More capabilities
Kyle J. McKay [Sat, 17 Sep 2011 23:55:45 +0000 (17 23:55 +0000)]
Utility to create a client certificate from only an OpenSSH public key given a CA certificate and its private key
Kyle J. McKay [Sat, 17 Sep 2011 23:54:33 +0000 (17 23:54 +0000)]
Use everything except the serial number in the hash to create the serial number
Kyle J. McKay [Thu, 15 Sep 2011 04:57:31 +0000 (15 04:57 +0000)]
Minor comment cleanup
Kyle J. McKay [Thu, 15 Sep 2011 01:23:08 +0000 (15 01:23 +0000)]
Make generated certificates be repeatable by default. Improve help output
Kyle J. McKay [Wed, 14 Sep 2011 21:57:22 +0000 (14 21:57 +0000)]
Display OpenSSH md5 and sha1 fingerprints in verbose mode
Kyle J. McKay [Wed, 14 Sep 2011 21:10:58 +0000 (14 21:10 +0000)]
Tool that creates a root certificate from an RSA private key and a common name