Openssl Pkcs10

To compile OpenSSL with pkcs11 engines, you need to apply a special patch which can be found at Miscellaneous OpenSSL Contributions. This patch is maintained by Jan Pechanec who's blog has more information about it.
  1. Openssl Pkcs10 Install
  2. Openssl Pkcs11

OpenSSL requires engine settings in the openssl.cnf file. Some OpenSSL commands allow specifying -conf ossl.conf and some do not. Setting the environment variable OPENSSLCONF always works, but be aware that sometimes the default openssl.cnf contains entries that are needed by commands like openssl req. Openssl pkcs10 -text -in server.csr If everything seems correct, paste it into the application on Sectigo's order page. When the certificate is approved, you will receive an email with links to download the certificate. Installing OpenSSL in Windows.

  • RFC 2986 Certification Request Syntax Specification November 2000 Note 1 - An entity would typically send a certification request after generating a public-key/private-key pair, but may also do so after a change in the entity's distinguished name. Note 2 - The signature on the certification request prevents an entity from requesting a certificate with another party's public key.
  • # rpm -q openssl openssl-1.1.1c-2.el8.x8664. If it is not installed then based on your distribution you can install openssl package. I am using RHEL/CentOS so I will use yum to install opensll. For Ubuntu, Debian you can use apt-get # yum -y install openssl.

The latest conribution is for OpenSSL 0.9.8j, but when writing this, OpenSSL was at 0.9.8p. I spent about an hour and patched his patch to the latest release. You'll at least need to change the shabang.

Openssl Pkcs10 Install

Using the Solaris Cool Tools version of gcc (GCC4SS) version 4.3.3, I can use additional niagara2 optimizations that are not available with the OS-bundled gcc.
My compile script ends up looking like (minus my environment variables):
Openssl pkcs10 downloadgunzip -c openssl-${OPENSSL_VER}.tar.gz tar xfvp -
#Change to the build directory
cd openssl-${OPENSSL_VER}
# apply pkcs11 patch
gpatch -p1 < ../pkcs11_engine-0.9.8p.2009-11-19/pkcs11_engine-0.9.8p
# fix the solaris optimizations to use niagara2
cp Configure Configure.old
nawk ' /solaris64-sparcv9-gcc/ { gsub(/-mcpu=ultrasparc/,'-mcpu=niagara2'); print $0 } ! /solaris64-sparcv9-gcc/ { print $0 } ' Configure.old > Configure
Certificate# note the --pk11-libname parameter added by the patch
./Configure --prefix=${OPENSSL_DIR} --pk11-libname=/usr/lib/sparcv9/libpkcs11.so threads shared solaris64-sparcv9-gcc -R${GCCRT_DIR}/lib/sparcv9 -L${GCCRT_DIR}/lib/sparcv9Openssl create pkcs10
make
make install

Continuing the story about new release I will talk about two interesting features.

Previously there was only basic PKCS#10 certificate request support. However, there are many cases when certificate request is composed in a PKCS#7 signed message. As a start point, I tried to utilize both, EnvelopedCms and SignedCms and other related classes in the PKCS namespace. However, I quickly figured out that these classes are completely useless and do not provide any way to access PKCS#7 contents. Shame on .NET!

Eventually, I opened a PKCS#7 ASN module and started manual decoding procedure. Hopefully, I already have enough good generic ASN.1 structure parser (in ASN namespace), which was combined with some p/invoke to decode common structures. As the result, I ended with several classes in my own PKCS namespace. Classes which names ends with 2 – are my own implementations of corresponding .NET classes.

Main class to decode PKCS#7 signed message is PKCS7SignedMessage class. It has properties which corresponds to PKCS#7 ASN module properties. Actual signed message is stored in the Content property which is of Object return type. Generic Object type is necessary, because PKCS#7 message content can be whatever you can imagine. If this is a request, then Content property contains embedded PKCS#10 certificate request. If this archived key BLOB, then there will be an appropriate object. To determine what object is stored in the Content property, I introduced ContentType property. As you can see from the content type -> content binding table, only CMC request is implemented so far.

Content property will contain an array of embedded objects. For example, an array of PKCS#10 objects, although, there cannot be more than one request in the PKCS#7 message. This behavior came from PKCS#7 ASN module which allows multiple objects of ContentType in the Content property.

Other content types causes a raw byte array in the Content property.

Here is how it looks:

Therefore we can access Content property and should see an array of X509CertificateRequest objects:

And here we see a common PKCS#10 request object. In addition I displayed request extensions. What if there is some other content?

I grabbed archived key blob. Content type is generic PKCS 7 Data. Actually it stores encrypted archived key and Certificates property contains key recovery agents certificates and certificate chains.

Previous section talked about general use of PKCS#7 message. In order to work with certificate request, I extended X509CertificateRequest class by supporting both, PKCS#10 and CMC/PKCS#7 certificate requests:

Openssl Pkcs11

Generic X509CertificateRequest supports any of them, so you don’t need to care which certificate request format is stored in the file. Just pass the file to the class constructor and it will do the rest. There are two properties that makes difference:

  • RequestType – identifies whether the request is PKCS#10 or PKCS#7.
  • ExternalData – gets the PKCS#7 envelope. It is null for PKCS#10 requests. In other words, ExternalData property is raw PKCS#7 object, and current X509CertificateRequest object is extracted object from Content property.

Another small, but useful feature is certificate request dump in a certutil-style. Call ToString() method on X509CertificateRequest object:

The output is *similar* to certutil, not the same. I slightly adjusted rendered data to make it less confusing, but followed formatting rules to make it more familiar.

And the last section in today’s article. It is uncommon when certificate request contains CNG key and CNG signature. And once again, I struggled with awful CNG key support in .NET. I was forced to write additional code, hacks and tricks to make it working. Moreover, I didn’t found any working solution in internet. You can find such code samples in MessageSignature.cs file in PKI.Core.dll sources.

However, it now works:

The code now easily validates CNG signatures.

Actually PKCS#7 and CNG extensions took the most time in this PSPKI module release development. However, I’m really glad that PowerShell got enough powerful PKI support. And it is not the limit! It is sad that Microsoft invests too little in PowerShell and PKI integration. On the other hand, I wouldn’t wrote PSPKI module which was started as an ad-hoc solution for my internal needs and evolved into a sort of decent project. In next post I will cover some new features in X.509CRL and, maybe, something else.