1 \input texinfo @c -*- texinfo -*-
4 @setfilename hx509.info
9 @c some sensible characters, please?
19 @set VERSION @value{PACKAGE_VERSION}
25 * hx509: (hx509). The X.509 distribution from KTH
32 @subtitle X.509 distribution from KTH
33 @subtitle Edition @value{EDITION}, for version @value{VERSION}
35 @author Love Hörnquist Åstrand
37 @def@copynext{@vskip 20pt plus 1fil}
42 Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
43 (Royal Institute of Technology, Stockholm, Sweden).
46 Redistribution and use in source and binary forms, with or without
47 modification, are permitted provided that the following conditions
50 1. Redistributions of source code must retain the above copyright
51 notice, this list of conditions and the following disclaimer.
53 2. Redistributions in binary form must reproduce the above copyright
54 notice, this list of conditions and the following disclaimer in the
55 documentation and/or other materials provided with the distribution.
57 3. Neither the name of the Institute nor the names of its contributors
58 may be used to endorse or promote products derived from this software
59 without specific prior written permission.
61 THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
62 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
63 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
64 ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
65 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
66 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
67 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
68 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
69 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
70 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
75 Copyright (c) 1988, 1990, 1993
76 The Regents of the University of California. All rights reserved.
78 Redistribution and use in source and binary forms, with or without
79 modification, are permitted provided that the following conditions
82 1. Redistributions of source code must retain the above copyright
83 notice, this list of conditions and the following disclaimer.
85 2. Redistributions in binary form must reproduce the above copyright
86 notice, this list of conditions and the following disclaimer in the
87 documentation and/or other materials provided with the distribution.
89 3. Neither the name of the University nor the names of its contributors
90 may be used to endorse or promote products derived from this software
91 without specific prior written permission.
93 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
94 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
95 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
96 ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
97 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
98 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
99 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
101 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
102 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107 Copyright 1992 Simmule Turner and Rich Salz. All rights reserved.
109 This software is not subject to any license of the American Telephone
110 and Telegraph Company or of the Regents of the University of California.
112 Permission is granted to anyone to use this software for any purpose on
113 any computer system, and to alter it and redistribute it freely, subject
114 to the following restrictions:
116 1. The authors are not responsible for the consequences of use of this
117 software, no matter how awful, even if they arise from flaws in it.
119 2. The origin of this software must not be misrepresented, either by
120 explicit claim or by omission. Since few users ever read sources,
121 credits must appear in the documentation.
123 3. Altered versions must be plainly marked as such, and must not be
124 misrepresented as being the original software. Since few users
125 ever read sources, credits must appear in the documentation.
127 4. This notice may not be removed or altered.
131 IMath is Copyright 2002-2005 Michael J. Fromberger
132 You may use it subject to the following Licensing Terms:
134 Permission is hereby granted, free of charge, to any person obtaining
135 a copy of this software and associated documentation files (the
136 "Software"), to deal in the Software without restriction, including
137 without limitation the rights to use, copy, modify, merge, publish,
138 distribute, sublicense, and/or sell copies of the Software, and to
139 permit persons to whom the Software is furnished to do so, subject to
140 the following conditions:
142 The above copyright notice and this permission notice shall be
143 included in all copies or substantial portions of the Software.
145 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
146 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
147 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
148 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
149 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
150 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
151 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
156 @macro manpage{man, section}
157 @cite{\man\(\section\)}
160 @c Less filling! Tastes great!
163 @global@parskip 6pt plus 1pt
164 @global@chapheadingskip = 15pt plus 4pt minus 2pt
165 @global@secheadingskip = 12pt plus 3pt minus 2pt
166 @global@subsecheadingskip = 9pt plus 2pt minus 2pt
173 @node Top, Introduction, (dir), (dir)
177 This manual is for version @value{VERSION} of hx509.
183 * CMS signing and encryption::
184 * Certificate matching::
185 * Software PKCS 11 module::
188 --- The Detailed Node Listing ---
192 @c * Issuing certificates::
193 * Creating a CA certificate::
194 * Issuing certificates::
196 @c * Issuing a proxy certificate::
197 @c * Creating a user certificate::
198 @c * Validating a certificate::
199 @c * Validating a certificate path::
200 * Application requirements::
202 CMS signing and encryption
210 Software PKCS 11 module
212 * How to use the PKCS11 module::
217 @node Introduction, What is X.509 ?, Top, Top
218 @chapter Introduction
220 The goals of a PKI infrastructure (as defined in
221 <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>) is to meet
222 @emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
225 The administrator should be aware of certain terminologies as explained by the aforementioned
226 RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
230 Certificate Authority
232 Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
234 An optional system to which a CA delegates the publication of certificate revocation lists.
236 A system or collection of distributed systems that stores certificates and CRLs
237 and serves as a means of distributing these certificates and CRLs to end entities
240 hx509 (Heimdal x509 support) is a near complete X.509 stack that can
241 handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
242 and basic certificate processing tasks, path construction, path
243 validation, OCSP and CRL validation, PKCS10 message construction, CMS
244 Encrypted (shared secret encrypted), CMS SignedData (certificate
245 signed), and CMS EnvelopedData (certificate encrypted).
247 hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
250 @node What is X.509 ?, Setting up a CA, Introduction, Top
251 @chapter What is X.509, PKIX, PKCS7 and CMS ?
253 X.509 was created by CCITT (later ITU) for the X.500 directory
254 service. Today, X.509 discussions and implementations commonly reference
255 the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
256 standard, as specified in RFC 3280.
258 ITU continues to develop the X.509 standard together with the IETF in a
259 rather complicated dance.
261 X.509 is a public key based security system that has associated data
262 stored within a so called certificate. Initially, X.509 was a strict
263 hierarchical system with one root. However, ever evolving requiments and
264 technology advancements saw the inclusion of multiple policy roots,
265 bridges and mesh solutions.
267 x.509 can also be used as a peer to peer system, though often seen as a
270 @section Type of certificates
272 There are several flavors of certificate in X.509.
278 Trust anchors are strictly not certificates, but commonly stored in a
279 certificate format as they become easier to manage. Trust anchors are
280 the keys that an end entity would trust to validate other certificates.
281 This is done by building a path from the certificate you want to
282 validate to to any of the trust anchors you have.
284 @item End Entity (EE) certificates
286 End entity certificates are the most common types of certificates. End
287 entity certificates cannot issue (sign) certificate themselves and are generally
288 used to authenticate and authorize users and services.
290 @item Certification Authority (CA) certificates
292 Certificate authority certificates have the right to issue additional
293 certificates (be it sub-ordinate CA certificates to build an trust anchors
294 or end entity certificates). There is no limit to how many certificates a CA
295 may issue, but there might other restrictions, like the maximum path
298 @item Proxy certificates
300 Remember the statement "End Entity certificates cannot issue
301 certificates"? Well that statement is not entirely true. There is an
302 extension called proxy certificates defined in RFC3820, that allows
303 certificates to be issued by end entity certificates. The service that
304 receives the proxy certificates must have explicitly turned on support
305 for proxy certificates, so their use is somewhat limited.
307 Proxy certificates can be limited by policies stored in the certificate to
308 what they can be used for. This allows users to delegate the proxy
309 certificate to services (by sending over the certificate and private
310 key) so the service can access services on behalf of the user.
312 One example of this would be a print service. The user wants to print a
313 large job in the middle of the night when the printer isn't used that
314 much, so the user creates a proxy certificate with the policy that it
315 can only be used to access files related to this print job, creates the
316 print job description and send both the description and proxy
317 certificate with key over to print service. Later at night when the
318 print service initializes (without any user intervention), access to the files
319 for the print job is granted via the proxy certificate. As a result of (in-place)
320 policy limitations, the certificate cannot be used for any other purposes.
324 @section Building a path
326 Before validating a certificate path (or chain), the path needs to be
327 constructed. Given a certificate (EE, CA, Proxy, or any other type),
328 the path construction algorithm will try to find a path to one of the
331 The process starts by looking at the issuing CA of the certificate, by
332 Name or Key Identifier, and tries to find that certificate while at the
333 same time evaluting any policies in-place.
335 @node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
336 @chapter Setting up a CA
338 Do not let information overload scare you off! If you are simply testing
339 or getting started with a PKI infrastructure, skip all this and go to
340 the next chapter (see: @pxref{Creating a CA certificate}).
342 Creating a CA certificate should be more the just creating a
343 certificate, CA's should define a policy. Again, if you are simply
344 testing a PKI, policies do not matter so much. However, when it comes to
345 trust in an organisation, it will probably matter more whom your users
346 and sysadmins will find it acceptable to trust.
348 At the same time, try to keep things simple, it's not very hard to run a
349 Certificate authority and the process to get new certificates should be simple.
351 You may find it helpful to answer the following policy questions for
352 your organization at a later stage:
355 @item How do you trust your CA.
356 @item What is the CA responsibility.
357 @item Review of CA activity.
358 @item How much process should it be to issue certificate.
359 @item Who is allowed to issue certificates.
360 @item Who is allowed to requests certificates.
361 @item How to handle certificate revocation, issuing CRLs and maintain OCSP services.
364 @node Creating a CA certificate, Issuing certificates, Setting up a CA, Top
365 @section Creating a CA certificate
367 This section describes how to create a CA certificate and what to think
370 @subsection Lifetime CA certificate
372 You probably want to create a CA certificate with a long lifetime, 10
373 years at the very minimum. This is because you don't want to push out the
374 certificate (as a trust anchor) to all you users again when the old
375 CA certificate expires. Although a trust anchor can't really expire, not all
376 software works in accordance with published standards.
378 Keep in mind the security requirements might be different 10-20 years
379 into the future. For example, SHA1 is going to be withdrawn in 2010, so
380 make sure you have enough buffering in your choice of digest/hash
381 algorithms, signature algorithms and key lengths.
383 @subsection Create a CA certificate
385 This command below can be used to generate a self-signed CA certificate.
388 hxtool issue-certificate \
392 --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \
394 --certificate="FILE:ca.pem"
397 @subsection Extending the lifetime of a CA certificate
399 You just realised that your CA certificate is going to expire soon and
400 that you need replace it with a new CA. The easiest way to do that
401 is to extend the lifetime of your existing CA certificate.
403 The example below will extend the CA certificate's lifetime by 10 years.
404 You should compare this new certificate if it contains all the
405 special tweaks as the old certificate had.
408 hxtool issue-certificate \
411 --lifetime="10years" \
412 --template-certificate="FILE:ca.pem" \
413 --template-fields="serialNumber,notBefore,subject,SPKI" \
414 --ca-private-key=FILE:ca.pem \
415 --certificate="FILE:new-ca.pem"
418 @subsection Subordinate CA
420 This example below creates a new subordinate certificate authority.
423 hxtool issue-certificate \
424 --ca-certificate=FILE:ca.pem \
427 --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \
428 --certificate="FILE:dev-ca.pem"
432 @node Issuing certificates, Issuing CRLs, Creating a CA certificate, Top
433 @section Issuing certificates
435 First you'll create a CA certificate, after that you have to deal with
436 your users and servers and issue certificates to them.
438 @c I think this section needs a bit of clarity. Can I add a separate
439 @c section which explains CSRs as well?
444 @item Do all the work themself
446 Generate the key for the user. This has the problme that the the CA
447 knows the private key of the user. For a paranoid user this might leave
448 feeling of disconfort.
450 @item Have the user do part of the work
452 Receive PKCS10 certificate requests fromusers. PKCS10 is a request for a
453 certificate. The user may specify what DN they want as well as provide
454 a certificate signing request (CSR). To prove the user have the key,
455 the whole request is signed by the private key of the user.
459 @subsection Name space management
461 @c The explanation given below is slightly unclear. I will re-read the
462 @c RFC and document accordingly
464 What people might want to see.
466 Re-issue certificates just because people moved within the organization.
468 Expose privacy information.
470 Using Sub-component name (+ notation).
472 @subsection Certificate Revocation, CRL and OCSP
474 Certificates that a CA issues may need to be revoked at some stage. As
475 an example, an employee leaves the organization and does not bother
476 handing in his smart card (or even if the smart card is handed back --
477 the certificate on it must no longer be acceptable to services; the
480 You may also want to revoke a certificate for a service which is no
481 longer being offered on your network. Overlooking these scenarios can
482 lead to security holes which will quickly become a nightmare to deal
485 There are two primary protocols for dealing with certificate
489 @item Certificate Revocation List (CRL)
490 @item Online Certificate Status Protocol (OCSP)
493 If however the certificate in qeustion has been destroyed, there is no
494 need to revoke the certificate because it can not be used by someone
495 else. This matter since for each certificate you add to CRL, the
496 download time and processing time for clients are longer.
498 CRLs and OCSP responders however greatly help manage compatible services
499 which may authenticate and authorize users (or services) on an on-going
500 basis. As an example, VPN connectivity established via certificates for
501 connecting clients would require your VPN software to make use of a CRL
502 or an OCSP service to ensure revoked certificates belonging to former
503 clients are not allowed access to (formerly subscribed) network
507 @node Issuing CRLs, Application requirements, Issuing certificates, Top
508 @section Issuing CRLs
510 Create an empty CRL with no certificates revoked. Default expiration
511 value is one year from now.
519 Create a CRL with all certificates in the directory
520 @file{/path/to/revoked/dir} included in the CRL as revoked. Also make
521 it expire one month from now.
526 --signer=FILE:ca.pem \
527 --lifetime='1 month' \
528 DIR:/path/to/revoked/dir
531 @node Application requirements, CMS signing and encryption, Issuing CRLs, Top
532 @section Application requirements
534 Application place different requirements on certificates. This section
535 tries to expand what they are and how to use hxtool to generate
536 certificates for those services.
538 @subsection HTTPS - server
541 hxtool issue-certificate \
542 --subject="CN=www.test.h5l.se,DC=test,DC=h5l,DC=se" \
543 --type="https-server" \
544 --hostname="www.test.h5l.se" \
545 --hostname="www2.test.h5l.se" \
549 @subsection HTTPS - client
552 hxtool issue-certificate \
553 --subject="UID=testus,DC=test,DC=h5l,DC=se" \
554 --type="https-client" \
558 @subsection S/MIME - email
560 There are two things that should be set in S/MIME certificates, one or
561 more email addresses and an extended eku usage (EKU), emailProtection.
563 The email address format used in S/MIME certificates is defined in
564 RFC2822, section 3.4.1 and it should be an ``addr-spec''.
566 There are two ways to specifify email address in certificates. The old
567 way is in the subject distinguished name, @emph{this should not be used}. The
568 new way is using a Subject Alternative Name (SAN).
570 Even though the email address is stored in certificates, they don't need
571 to be, email reader programs are required to accept certificates that
572 doesn't have either of the two methods of storing email in certificates
573 -- in which case, the email client will try to protect the user by
574 printing the name of the certificate instead.
576 S/MIME certificate can be used in another special way. They can be
577 issued with a NULL subject distinguished name plus the email in SAN,
578 this is a valid certificate. This is used when you wont want to share
579 more information then you need to.
581 hx509 issue-certificate supports adding the email SAN to certificate by
582 using the --email option, --email also gives an implicit emailProtection
583 eku. If you want to create an certificate without an email address, the
584 option --type=email will add the emailProtection EKU.
587 hxtool issue-certificate \
588 --subject="UID=testus-email,DC=test,DC=h5l,DC=se" \
590 --email="testus@@test.h5l.se" \
594 An example of an certificate without and subject distinguished name with
595 an email address in a SAN.
598 hxtool issue-certificate \
601 --email="testus@@test.h5l.se" \
607 A PK-INIT infrastructure allows users and services to pick up kerberos
608 credentials (tickets) based on their certificate. This, for example,
609 allows users to authenticate to their desktops using smartcards while
610 acquiring kerberos tickets in the process.
612 As an example, an office network which offers centrally controlled
613 desktop logins, mail, messaging (xmpp) and openafs would give users
614 single sign-on facilities via smartcard based logins. Once the kerberos
615 ticket has been acquired, all kerberized services would immediately
616 become accessible based on deployed security policies.
618 Let's go over the process of initializing a demo PK-INIT framework:
621 hxtool issue-certificate \
622 --type="pkinit-kdc" \
623 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
624 --hostname=kerberos.test.h5l.se \
625 --ca-certificate="FILE:ca.pem,ca.key" \
627 --certificate="FILE:kdc.pem" \
631 How to create a certificate for a user.
634 hxtool issue-certificate \
635 --type="pkinit-client" \
636 --pk-init-principal="user@@TEST.H5L.SE" \
637 --ca-certificate="FILE:ca.pem,ca.key" \
639 --subject="cn=Test User" \
640 --certificate="FILE:user.pem"
643 The --type field can be specified multiple times. The same certificate
644 can hence house extensions for both pkinit-client as well as S/MIME.
646 To use the PKCS11 module, please see the section:
647 @pxref{How to use the PKCS11 module}.
649 More about how to configure the KDC, see the documentation in the
650 Heimdal manual to set up the KDC.
652 @subsection XMPP/Jabber
654 The jabber server certificate should have a dNSname that is the same as
655 the user entered into the application, not the same as the host name of
659 hxtool issue-certificate \
660 --subject="CN=xmpp1.test.h5l.se,DC=test,DC=h5l,DC=se" \
661 --hostname="xmpp1.test.h5l.se" \
662 --hostname="test.h5l.se" \
666 The certificate may also contain a jabber identifier (JID) that, if the
667 receiver allows it, authorises the server or client to use that JID.
669 When storing a JID inside the certificate, both for server and client,
670 it's stored inside a UTF8String within an otherName entity inside the
671 subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5).
673 To read more about the requirements, see RFC3920, Extensible Messaging
674 and Presence Protocol (XMPP): Core.
676 hxtool issue-certificate have support to add jid to the certificate
677 using the option @kbd{--jid}.
680 hxtool issue-certificate \
681 --subject="CN=Love,DC=test,DC=h5l,DC=se" \
682 --jid="lha@@test.h5l.se" \
687 @node CMS signing and encryption, CMS background, Application requirements, Top
688 @chapter CMS signing and encryption
690 CMS is the Cryptographic Message System that among other, is used by
691 S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of
692 the RSA, Inc standard PKCS7.
694 @node CMS background, Certificate matching, CMS signing and encryption, Top
695 @section CMS background
698 @node Certificate matching, Matching syntax, CMS background, Top
699 @chapter Certificate matching
701 To match certificates hx509 have a special query language to match
702 certifictes in queries and ACLs.
704 @node Matching syntax, Software PKCS 11 module, Certificate matching, Top
705 @section Matching syntax
707 This is the language definitions somewhat slopply descriped:
722 word IN ( word [, word ...])
723 word IN %@{variable.subvariable@}
731 @node Software PKCS 11 module, How to use the PKCS11 module, Matching syntax, Top
732 @chapter Software PKCS 11 module
734 PKCS11 is a standard created by RSA, Inc to support hardware and
735 software encryption modules. It can be used by smartcard to expose the
736 crypto primitives inside without exposing the crypto keys.
738 Hx509 includes a software implementation of PKCS11 that runs within the
739 memory space of the process and thus exposes the keys to the
742 @node How to use the PKCS11 module, , Software PKCS 11 module, Top
743 @section How to use the PKCS11 module
746 $ cat > ~/.soft-pkcs11.rc <<EOF
747 mycert cert User certificate FILE:/Users/lha/Private/pkinit.pem
750 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG