Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Create certificate with QCStatements using OpenSSL

Tags:

certificate

openssl

ca

I want to create mock CA and set QCStatements extension, but I can't find any information about setting it using OpenSSL. I was looking about I found some old topics where people looking for this information, but no one answer. Is this possible to set QCStatements using openSSL?

like image 726
chebad Avatar asked Jun 26 '19 12:06

chebad

1 Answers

It is possible with pure openssl. You have to create configuration for the signing request with all required qcStatements information and then sing the certificate copying the requested extension.

Sample configuration file

[req]
distinguished_name = req_distinguished_name
req_extensions = qcStatements

[req_distinguished_name]

[qcStatements]
1.3.6.1.5.5.7.1.3=ASN1:SEQUENCE:qcStatement

[qcStatement]
etsiQcsCompliance=SEQUENCE:etsiQcsCompliance
qcs-QcPDS=SEQUENCE:qcs-QcPDS
id-qc-statement=SEQUENCE:id-qc-statement
qcs-QcType=SEQUENCE:qcs-QcType
[etsiQcsCompliance]
statementId=OID:0.4.0.1862.1.1
[qcs-QcPDS]
statementId=OID:0.4.0.1862.1.5
QcPDS-List=SEQUENCE:QcPDS-List
[QcPDS-List]
QcPDS1=SEQUENCE:QcPDS1
[QcPDS1]
url=IA5STRING:https://example.org/pkidisclosure
description=PRINTABLESTRING:example

[id-qc-statement]
statementId=OID:0.4.0.19495.2
statementInfo=SEQUENCE:id-qc-statement-Info
[id-qc-statement-Info]
rolesOfPSP=SEQUENCE:rolesOfPSP
nCAName=UTF8String:Dummy Financial Supervision Authority
nCAId=UTF8String:XX-DFSA
[rolesOfPSP]
PSP_AI=SEQUENCE:PSP_AI
PSP_AS=SEQUENCE:PSP_AS
PSP_PI=SEQUENCE:PSP_PI
PSP_IC=SEQUENCE:PSP_IC
[PSP_AI]
roleOfPspOid=OID:0.4.0.19495.1.3
roleOfPspName=UTF8String:PSP_AI
[PSP_AS]
roleOfPspOid=OID:0.4.0.19495.1.1
roleOfPspName=UTF8String:PSP_AS
[PSP_PI]
roleOfPspOid=OID:0.4.0.19495.1.2
roleOfPspName=UTF8String:PSP_PI
[PSP_IC]
roleOfPspOid=OID:0.4.0.19495.1.4
roleOfPspName=UTF8String:PSP_IC
[qcs-QcType]
statementId=OID:0.4.0.1862.1.6
statementInfo=SEQUENCE:qcs-QcType-Info
[qcs-QcType-Info]
qct-esign=OID:0.4.0.1862.1.6.1
qct-eseal=OID:0.4.0.1862.1.6.2
qct-web=OID:0.4.0.1862.1.6.3

You have to apply configuration to signing request

openssl req -new -key dummy.key -out dummy.csr -subj /C=XX/CN=dummy -config qcstatements.conf

And then sign with option to copy extensions from request inside CA configuration file.

copy_extensions = copy
like image 168
AGrzes Avatar answered Sep 30 '22 12:09

AGrzes
Sign in to Comment

Related questions

Included OpenSSL as a static library, but it's still looking for a DLL?
Breaking up large data for RSA encryption
Unlimited Domains, Subdomains Certs with startssl.com?
sendmail: OpenSSL::SSL::SSLError: hostname was not match
What's means of Self-Signed Certificate in OpenSSL
Disabling TLS 1.1 in node.js?
Node.js verify function does not verify signature when openssl command line does
Checking provisioning profile's developer certificate validity
SSL_connect error when accessing Shopify API with rubygem
shell script to generate self signed ssl unattended
sync_close in ruby's openssl library
I'd like to create SSL sertificates for my test environment
Puma installation error on windows
Can't bypass OpenSSL verification - certificate verify failed (OpenSSL::SSL::SSLError)
Finding path of static system libraries in Linux
Windows .crl to .pem for nginx
Cannot use IP in Node.js for self-signed certificate
Linux SGX enclave with OpenSSL
Calculating maximum length of AES encrypted message
Intermittent "getrandom() initialization failed" using scrapy spider

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!