How can I persist values of KeyUsage and BasicConstraints in the ECDSA based certificates from LetsEncrypt?

huangapple go评论62阅读模式
英文:

How can I persist values of KeyUsage and BasicConstraints in the ECDSA based certificates from LetsEncrypt?

问题

我正在尝试建立一个CA,我需要一个用于此CA的根证书。这个根证书必须由一个公共CA签名,并且签名算法必须是ECDSA,使用prime256v1曲线。

我正在关注LetsEncrypt论坛上的这个问题。但是,我使用了一个单独的实用程序来生成密钥和CSR。这个实用程序帮助我成功生成了ECDSA密钥和CSR。以下是生成的CSR:

证书请求:
    数据:
        版本:0(0x0)
        主题:O=MyOrg,L=Bengaluru,ST=Karnataka,C=IN,CN=mydomain.in
        主题公钥信息:
            公钥算法:id-ecPublicKey
                公钥:(256位)
                pub:
                    <value>
                ASN1 OID:prime256v1
                NIST CURVE:P-256
        属性:
        请求扩展:
            X509v3基本约束:关键
                CA:TRUE
            X509v3扩展密钥用途:
                TLS Web客户端身份验证,TLS Web服务器身份验证
            X509v3密钥用法:
                数字签名,密钥加密,证书签名,CRL签名
    签名算法:ecdsa-with-SHA256
        <value>

所以,基本上我在扩展中获得了KeyUsage和BasicConstraints的正确值。

现在,对于下一步,我正在从我的ec2实例中使用以下命令:

certbot certonly -d <mydomain> --server https://acme-v02.api.letsencrypt.org/directory --csr <csr_generated_above> --cert-name <mydomain>

使用这个命令,我能够获得由LetsEncrypt签名的证书以及证书链。然而,在生成的证书中,我获得了不同的KeyUsage和BasicConstraints值:

所有者:CN=<my_domain>
颁发者:CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
序列号:<value>
有效期自:2020年1月3日14:46:29 UTC 到:2020年4月2日14:46:29 UTC
证书指纹:
    SHA1:<value>
    SHA256:<value>
签名算法名称:SHA256withRSA
主题公钥算法:256位EC密钥
版本:3

扩展:

#1: <value>
#2: <value>
#3: <value>

#4: ObjectId: <value> Criticality=true
基本约束:[
    CA:false
    PathLen: undefined
]

#5: <value>
#6: ObjectId: <value> Criticality=false
扩展密钥用途 [
    serverAuth
    clientAuth
]

#7: ObjectId: <value> Criticality=true
密钥用途 [
    DigitalSignature
]

#8: <value>
#9: <value>

如上所示,KeyUsage、BasicConstraints和签名算法未保留。问题在于,我的CA需要KeyUsage的一个值为'Certificate Sign'。因此,我的CA无法启动。

所以我的问题是:

  1. 从LetsEncrypt获取我的CA的根证书是否可行?
  2. 如果是的话,是否需要在certbot命令中传递一些额外的标志?
  3. 或者我在哪里出错了?

我对使用公共CA来生成证书还相当新手。

英文:

I am trying to set up a CA and I need a root certificate for this CA. This root certificate has to be signed by a public CA and the signing algorithm has to be ECDSA with prime256v1 curve.

I am following [this issue][1] on LetsEncryp forum. However, I am using a separate utility for generating the keys and CSR. This utility helps me generate ECDSA keys and CSR successfully. Following is the CSR that's generated:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=MyOrg, L=Bengaluru, ST=Karnataka, C=IN, CN=mydomain.in
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    &lt;value&gt;
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
        &lt;value&gt;

So, basically I am getting correct values for KeyUsage and BasicConstraints in the extension.

Now, for the next step, I am using the following command from my ec2 instance:

certbot certonly -d &lt;mydomain&gt; --server https://acme-v02.api.letsencrypt.org/directory --csr &lt;csr_generated_above&gt; --cert-name &lt;mydomain&gt;

Using this command I'm able to get a certificate signed by LetsEncrypt along with the certificate chain. However, in the certificate that is generated, I get different values for KeyUsage and BasicConstraints:

Owner: CN=&lt;my_domain&gt;
Issuer: CN=Let&#39;s Encrypt Authority X3, O=Let&#39;s Encrypt, C=US
Serial number: &lt;value&gt;
Valid from: Fri Jan 03 14:46:29 UTC 2020 until: Thu Apr 02 14:46:29 UTC 2020
Certificate fingerprints:
    SHA1: &lt;value&gt;
    SHA256: &lt;value&gt;
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 256-bit EC key
Version: 3

Extensions: 

#1: &lt;value&gt;
#2: &lt;value&gt;
#3: &lt;value&gt;

#4: ObjectId: &lt;value&gt; Criticality=true
BasicConstraints:[
    CA:false
    PathLen: undefined
]

#5: &lt;value&gt;
#6: ObjectId: &lt;value&gt; Criticality=false
ExtendedKeyUsages [
    serverAuth
    clientAuth
]

#7: ObjectId: &lt;value&gt; Criticality=true
KeyUsage [
    DigitalSignature
]

#8: &lt;value&gt;
#9: &lt;value&gt;

As seen above, the KeyUsage, BasicConstraints and Signature algorithm are not persisted. And the issue is my CA needs that one of the values of KeyUsage should be 'Certificate Sign'. Due to which my CA is not able to spinup.

So my question is:

  1. Is it feasible to get a root cert for my CA from LetsEncrypt?
  2. If yes, do we need to pass some extra flags with the cert bot command?
  3. Or where am I getting this wrong?

I'm quite new to using public ca for the certificate generation.

[1]: http://And%20are%20there%20any%20other%20open%20source%20public%20ca%20that%20could%20be%20used%20for%20generating%20ecdsa%20based%20certs%20for%20testing%20purpose%20other%20than%20openssl? "broken link!"

答案1

得分: 1

LetsEncrypt仅颁发域名验证证书,不颁发代码签名证书,也不颁发根CA证书,没有其他类型的证书。

https://letsencrypt.org/docs/faq/

英文:

LetsEncrypt does not issue anything except Domain Validated certificates. No code signing certificates, no root CA certificates, nothing else.

https://letsencrypt.org/docs/faq/

huangapple
  • 本文由 发表于 2020年1月4日 00:48:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/59582286.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定