Sign upLogin

nuts-foundation/nuts-node

View on GitHub
Star
pki/test/README.md

Summary

Maintainability
Test Coverage

# Generate chain
`sh generate.sh` creates the trust chain using the configuration in `openssl.conf`. 
Set your machine time 1+ hours in the past to ensure Intermediate C's CRL is expired immediately.

All sub/intermediate CAs use the same config and therefore same certificate administration. 
Revocations are currently only generated correctly because of the order of revocation and CRL generation.

# Errors?!?!
MacOS by default uses `LibreSSL` which does not apply the `openssl.conf` correctly.
Check the version using `openssl version`. This is tested with `OpenSSL 1.1.1t  7 Feb 2023` distributed by `Homebrew`

# Certificate chain

Certificate properties above are summarized as:
```
CommonName (that is on the certificate)
- serial: the certificate's serial number
- status: one of valid,revoked,expired
- CRL: the CRL issued by this cert
- Issues: ceritifcates issued by this cert. When revoked they appear on the listed CRL.
- File: the file the cert is in. Only leaf certs contain a private key.
```

The actual chain
```
Root CA
- serial: 01
- status: valid
- CRL: RootCALatest.crl
- Issues: Intermediate A CA, Intermediate B CA
- File: truststore.pem

Intermediate A CA
- serial: 02
- status: valid
- CRL: IntermediateCAALatest.crl
- Issues: CertA Valid, CertA Revoked, CertA Expired
- File: truststore.pem

Intermediate B CA
- serial: 03
- status: revoked
- CRL: IntermediateCABLatest.crl
- Issues: CertB Valid
- File: truststore.pem

Intermediate C CA
- serial: 04
- status: valid
- CRL: IntermediateCACLatest.crl that expires after 1 hour
- Issues: CertC Valid
- File: truststore.pem

CertA Valid
- serial: 05
- status: valid
- File: A-valid.pem

CertA Revoked
- serial: 06
- status: revoked
- File: A-revoked.pem

CertA Expired
- serial: 07
- status: expired
- File: A-expired.pem

CertB Valid
- serial: 08
- status: valid (but CA is revoked)
- File: B-valid_revoked-CA.pem

CertC Valid
- serial: 09
- status: valid (but CRL is expired)
- File: C-valid.pem
```

`truststore.pem` contains in order:
- `Intermediate A CA`
- `Intermediate B CA`
- `Intermediate C CA`
- `Root CA`

It also creates `truststore_withPKIOverheid.pem` that appends the following files
- `truststore.pem`
- `/network/test/pkioverheid-server-bundle.pem`