osx - How to install a DER binary encoded, GOST R 34.10-2001 root certificate (.crt) on Mac?
2014-04
I would like to install this certificate on my Mac running OSX 10.9.1.
I've downloaded it, but when I double click, keychain is opened and that is it.
Can not install it with command line also:
user$ sudo certtool i ca_fns_rusia.crt
Password:
***pemDecode: no terminator found
***ca_fns_russia.crt: Bad PEM formatting. Aborting.
The answer in your case appears to be "you can't".
Using OpenSSL, I was able ascertain that your certificate is apparently using the "DER" binary encoding format instead of the more common "PEM" ASCII/Base64 format, which is an easy problem to solve.
But that was the just the initial hurdle. The bigger problem is that it uses a Russian crypto algorithm known as "GOST R 34.10-2001", which may not be widely supported in the west. At least, I can find no mention of it being supported by Mac OS X's built-in security libraries. So there's probably no chance you can import it into the Keychain, and you wouldn't be able to do anything with it even if you could.
You might want to look at which third-party web browsers (or email apps, or whatever you're trying to do) support GOST and support using their own set of certificates instead of fully relying on the OS's Keychain and crypto services.
I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.
I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?
Edit
In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:
ROOT -> A -> B -> C -> ...
I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.
My command for creating the root certificate is:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.
Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command line should I use to create certificates B and beyond?
Edit
I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the openssl.cnf file:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
This approach seems to be working well.
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on with B replacing *_A with *_B and CA_certificate_you_created.crt
with crt_A.crt
and CA_key_you_created.key
with key_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine