Hello,

does anyone have a howto on how to generate a self-signed extended
validation certificate, or on how to set-up my own CA for local use
that gives out EVN certificates?

I know how to do this for normal certificates, but was unable to find
more details on extended validation certificates...

Thanks
Jakob
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hello Jakob

On Monday 25 August 2008 08:51:42 Jakob Grießmann wrote:
> Hello,
>
> does anyone have a howto on how to generate a self-signed extended
> validation certificate, or on how to set-up my own CA for local use
> that gives out EVN certificates?
>
> I know how to do this for normal certificates, but was unable to find
> more details on extended validation certificates...

I take it what you are really shooting for is the fancy "make the location bar
go green, and display the company name" in a browser. Unfortunately, from my
understanding, that's not possible (and that's what make EVSSL certs actually
worth something).

From my understanding, what tells the browser to give all of those visual
clues to the user that EVSSL certs convey is as follows:

1: The Certificate is signed by an EVSSL provider, as certified by the
CA/Browser forum. (The CA have to pass an audit showing they conform to the
EVSSL Certificate policy, and submit the results to the browser writers)

2: The Certificate asserts one of the EV/SSL Certificate Policy OIDs from one
of those CAs

3: The Certificate contains the correctly formatted DN as per the Certificate
Policy promulgated by the CA/Browser forum.

So, you COULD produce a certificate that has the correctly formatted DN in it,
but aside from that, you're pretty much stuck, I'm afraid, unless you were to
completely replace one of the EVSSL Certificate providers root CA certificate
and all of the intermediate chains in the browser, and those CA certs were
all correctly formatted, and the server certificate was also correctly
formatted. And even then I'm not sure that it would work, as I've got no idea
if the browsers have some sort of checksum or hash that they compare the CA
certificate to.

Even if you were to get all of the technical bits correct, and replace the
appropriate bits in the browser, I imagine that some CA authority's legal
department may want to have a word with you for corporate impersonation.

So, no, you can't do this with a self signed certificate, no matter what the
toolkit

Have fun.

--
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Well, it sounds like there *is* another, more legally correct way:
set up your own CA (easy!) and do what it takes to get it certified by
the CA/Browser Forum (should be difficult). Then you'd legally have the
privilege of coining the cert.s that you want.

I seriously doubt that issuance of self-signed cert.s would pass the
audit, but your CA doesn't have to work that way.

The question then is whether the ability to issue EV cert.s yourself
is worth the effort and expense of doing it properly.

--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkiyv8AACgkQs/NR4JuTKG931ACfRRWLDIMS+tb7gOSYtAAS3+ow
Zj8AmwbHLh9PJqF5ID2ySp9U0rpQaidl
=xdnj
-----END PGP SIGNATURE-----

Hi there,

thanks for the fast replies! When you want to make your own non-EV CA
recognized by the browser, it's easy, you just have to import your CA
as trusted root, then it works. Isn't there a similar way for EV CAs,
like producing your EV CA and simply adding it to the trusted root of
the browser? Is it much more complicated?

Thanks,
Jakob
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

On August 25, 2008 11:38:36 am Jakob Grießmann wrote:
> Hi there,
>
> thanks for the fast replies! When you want to make your own non-EV CA
> recognized by the browser, it's easy, you just have to import your CA
> as trusted root, then it works. Isn't there a similar way for EV CAs,
> like producing your EV CA and simply adding it to the trusted root of
> the browser? Is it much more complicated?
>
I believe that the list of OID's and their associated CA's that
are "Certified" for EVSSL are hardcoded into the browser somewhere (perhaps
in the executable, but I really have no idea). I do know that you can't just
add a Root CA cert in somewhere, you also have to add your CA into the "list
of trusted EVSSL providers", which is much more complicated.

This is one of the reasons that EV SSL certificates have value - it has been
set up in such a way that it is very difficult (I don't like saying
impossible, because someone always proves me wrong) for anyone to fake a
properly issued EV SSL certificate.

As Mark said in a previous reply - the only sure way to be recognised by the
browsers is to set up an EVSSL CA according the the CA/Browser forum's
Certificate Policy, and then pass the required audits that Microsoft, Mozilla
KDE and Opera require.

Hope that helps.

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

> thanks for the fast replies! When you want to make your own non-EV CA
> recognized by the browser, it's easy, you just have to import your CA
> as trusted root, then it works. Isn't there a similar way for EV CAs,
> like producing your EV CA and simply adding it to the trusted root of
> the browser? Is it much more complicated?
>
> Thanks,
> Jakob

Your question is "how can I make an extended validation certificate without
extended validation"? The answer is -- you can't, because going through
extended validation is what makes an EV certificate an EV certificate.

Now, if your question is "how can I trick a browser into thinking a
certificate is an EV certificate when it isn't", the answer would be that
you'd have to exploit some bug or defect in the browser. No such bugs or
defects are known, and if any were know, they would be fixed.

What is your actual problem?

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

A Swiss Company called Keyon has a paper entitled "Faking EV SSL in
IE7". They show how to cobble together your own root certificate, in
order to get the green address bar for whoever you want, in IE7.

You have to get the new root certificate imported, but then you get
into the world of Extended Validation, which should not happen.

http://www.keyon.ch/de/News/Faking%2...07%20V1.1b.pdf

Let me know if you try it -- I"d love to hear about it.

Mike

Hi,

basically, I want to play around with EVN for documentation and
development purposes, and the only way of getting a "cheap"
certificate is creating one on my own... so a pointer would be
welcome.

Thanks
Jakob
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hi,

> It is likely that the documentation will also describe what extensions
> must be included to mark an end-entity certificate as EV. I don't
> know the details.

okay, I will dig deeper there. :-) Thanks!

Does anyone has an instruction on how to generate a certificate with
the needed OIDs? What parameters do I have to supply to OpenSSL?

Thanks,
Jakob
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

On August 28, 2008 01:54:50 pm Jakob Grießmann wrote:
> Hi,
>
> > It is likely that the documentation will also describe what extensions
> > must be included to mark an end-entity certificate as EV. I don't
> > know the details.
>
> okay, I will dig deeper there. :-) Thanks!
>
> Does anyone has an instruction on how to generate a certificate with
> the needed OIDs? What parameters do I have to supply to OpenSSL?
>
Take a look at the CA/Browser forum web site at:

http://www.cabforum.org/

If you read their specifications at:

http://www.cabforum.org/EV_Certifica...elines_V11.pdf

The information is in there:

Essentially, you need to have the Subject DN formatted with

O= The Organisation to whom the Certificate is being issued.
businessCategory (OID 2.5.4.15) = one of the values on page 10 of the above
PDF
Locality (if required by the entities incorporation level):
subject:jurisdictionOfIncorporationLocalityName (OID
1.3.6.1.4.1.311.60.2.1.1)
ASN.1 - X520LocalityName as specified in RFC 3280
State or province (if required by the entities incorporation level):
subject:jurisdictionOfIncorporationStateOrProvince Name
(OID 1.3.6.1.4.1.311.60.2.1.2)
ASN.1 - X520StateOrProvinceName as specified in RFC
3280
Country:
subject:jurisdictionOfIncorporationCountryName (OID
1.3.6.1.4.1.311.60.2.1.3)
ASN.1 - X520countryName as specified in RFC 3280
serialNumber = the Business Registration number of the Company asserted in the
O= value.
Number & street (optional) subject:streetAddress (OID 2.5.4.9)
City or town subject:localityName (OID 2.5.4.7)
State or province (if any) subject:stateOrProvinceName (OID
2.5.4.8)
Country subject:countryName (OID 2.5.4.6)
Postal code (optional) subjectostalCode (OID 2.5.4.17)
CN= the FQDN of the server or device that is being asserted.

And the rest of the stuff is in Appendix B of the above PDF.

For information on how to set up a CA and configure most of those parameters
(aside from the DN), check out the whitepaper that my colleague published at:

http://www.carillon.ca/library/howtos.php

(The CertiPath OpenSSL howto - CertiPath's certificate profiles require many
of the same settings as the CA/Browser forum)

Now - OpenSSL doesn't yet know about a lot of the Subject fields - so you may
have issues encoding them correctly.

You can use the [new_oids] section of the openssl.cnf file to define the OID
to name mapping, and then use that in the [req] sections to generate the
original DN, however that may cause some of the entries to be formatted in
not quite a standards compliant way (i.e.: it may generate IA5Strings instead
of UTF-8 or printableString values).

However, it should get you at least started.

Have fun.

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Jakob,

Did you find a way to include your CA OID in the list of EV CAs in any
browser? In Firefox they are hardcoded, but I'm not sure about other
browsers. Or, are you going to try to use the OID of an existing EV
CA and put that in your certificate? The latter should not be
possible, but I can't tell what mechanism there is to prevent it.

You probably already know that if you certificate doesn't have a EV CA
OID, the browser probably won't recognize it as an EV certificate.

Regards,
Peter



On Aug 28, 9:23*pm, ppatter...@carillonis.com (Patrick Patterson)
wrote:
> On August 28, 2008 01:54:50 pm Jakob Grießmann wrote:> Hi,
>
> > > It is likely that the documentation will also describe what extensions
> > > must be included to mark an end-entity certificate as EV. *I don't
> > > know the details.
>
> > okay, I will dig deeper there. :-) Thanks!
>
> > Does anyone has an instruction on how to generate a certificate with
> > the needed OIDs? What parameters do I have to supply to OpenSSL?
>
> Take a look at the CA/Browser forum web site at:
>
> http://www.cabforum.org/
>
> If you read their specifications at:
>
> http://www.cabforum.org/EV_Certifica...elines_V11.pdf
>
> The information is in there:
>
> Essentially, you need to have the Subject DN formatted with
>
> O= The Organisation to whom the Certificate is being issued.
> businessCategory (OID 2.5.4.15) = one of the values on page 10 of the above
> PDF
> Locality (if required by the entities incorporation level):
> * * * * subject:jurisdictionOfIncorporationLocalityName (OID
> * * * * 1.3.6.1.4.1.311.60.2.1.1)
> * * * * ASN.1 - X520LocalityName as specified in RFC 3280
> State or province (if required by the entities incorporation level):
> * * * * subject:jurisdictionOfIncorporationStateOrProvince Name
> * * * * (OID 1.3.6.1.4.1.311.60.2.1.2)
> * * * * ASN.1 - X520StateOrProvinceName as specified in RFC
> * * * * 3280
> Country:
> * * * * subject:jurisdictionOfIncorporationCountryName (OID
> * * * * 1.3.6.1.4.1.311.60.2.1.3)
> * * * * ASN.1 - X520countryName as specified in RFC 3280
> serialNumber = the Business Registration number of the Company assertedin the
> O= value.
> Number & street (optional) subject:streetAddress (OID 2.5.4.9)
> City or town * * * * * * * * * * * subject:localityName (OID 2.5.4.7)
> State or province (if any) * *subject:stateOrProvinceName (OID
> 2.5.4.8)
> Country * * * * * * * * * * * * * * *subject:countryName (OID 2.5.4.6)
> Postal code (optional) * * * *subjectostalCode (OID 2.5.4.17)
> CN= the FQDN of the server or device that is being asserted.
>
> And the rest of the stuff is in Appendix B of the above PDF.
>
> For information on how to set up a CA and configure most of those parameters
> (aside from the DN), check out the whitepaper that my colleague publishedat:
>
> http://www.carillon.ca/library/howtos.php
>
> (The CertiPath OpenSSL howto - CertiPath's certificate profiles require many
> of the same settings as the CA/Browser forum)
>
> Now - OpenSSL doesn't yet know about a lot of the Subject fields - so youmay
> have issues encoding them correctly.
>
> You can use the [new_oids] section of the openssl.cnf file to define the OID
> to name mapping, and then use that in the [req] sections to generate the
> original DN, however that may cause some of the entries to be formatted in
> not quite a standards compliant way (i.e.: it may generate IA5Strings instead
> of UTF-8 or printableString values).
>
> However, it should get you at least started.
>
> Have fun.
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.http://www.carillon.ca
> __________________________________________________ ____________________
> OpenSSL Project * * * * * * * * * * * * * * * *http://www.openssl.org
> User Support Mailing List * * * * * * * * * *openssl-us...@openssl.org
> Automated List Manager * * * * * * * * * * * * * majord...@openssl.org

Hi Patrick,

> However, it should get you at least started.

thanks a lot, that helps me out!

Jakob
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org