PKI Activities





Introduction

This page presents some of my involvement with Digital Certificates and Public Key Infrastructure.

One sign of too much involvement in X.509 is to have your own OID arc.  Mine, like thousands of others, is an IANA Private Enterprise Number

https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
Thus HTT Consulting's arc is:
1.3.6.1.4.1.6715
It has been used for testing and demonstrations, but no lasting OIDs.  That is probably for the best.

Over the years, I have run hot and cold about digital certificates and supporting infrastructure.  It is just so complicated, but there is really no large scale alternative.

The only related standard that has my name attached is
IEEE 802.1AR-2009
New things are coming to PKI.  New algorithms and encodings.

Watch here for some of these developments!


Roll your own CA

I have always wanted to be able to build my own CA.  I have looked at a number of packages, and one of these days I will actually choose one.  Meanwhile...

A good tutorial for rolling your own PKI using RSA certificates has been done by Jamie Nugyen:

https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
Jamie's guide follows the "Common Practice" of using distinguishName for all naming, not using subjectALtName.

But I want an ECDSA PKI and follow the RFCs and current Best Practice using subjectAltName, so I had to take Jamie's work and with other sources, develop a quick guide:
http://www.htt-consult.com/pki/pki-ecdsa-steps.txt
Jamie's guide is still very much worth reading, as it goes into a lot of the 'why' as well as shows results.  I do not plan on adding this level of detail.

I may get around to embellishing this more; perhaps turn it into a set of scripts.  Of more immediate need is adding CRL and OCSP support.  Then I will probably publish as an Internet Draft for wider use.

It was a bit of a bumpy road and here are some "Lessons Learned"
http://www.htt-consult.com/pki/openSSL-lessons-learned.txt
I really want to move on to EdDSA certificates, but that has to wait for Openssl 1.1.1

Or more likely, sooner we will have Internet Drafts for using CBOR for certificate encoding!  This should make them much smaller.


Adding 802.1AR Certificates to your CA

I am a strong advocate of the IEEE 802.1AR Secure Device Identity technology built on top of X.509.  It does have its specific certificate profile.  The following steps through creating a specific 802.1AR Intermediate ECDSA CA and then the device ECDSA certificates.

Again, this is based on the guide done by Jamie Nugyen.

http://www.htt-consult.com/pki/pki-ecdsa-8021AR-steps.txt
There is still work to do on this guide.  In particular, the subjectAltName (SAN) may not be right.  I am still researching the use of hardwareModuleName (HMN).  Also the SAN has to be supplied in the config file; I need a way to provide it interactively.

Finally, there is no direct support of HMN in openssl.  The method used is awkward and difficult to display.  But all indications are that it is correct.  And the certificates still need to be checked against the 802.1AR PICS (Protocol Implementation Conformance Statement).

You can EMail Robert at mailto:rgm at htt-consult.com  his desk...

Updated


© Robert G. Moskowitz -- 2017