Topic: CSR
Hi
Is there an option to generate CSR with RSA and EC Param keys?
Many thanks
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferencesHi
Is there an option to generate CSR with RSA and EC Param keys?
Many thanks
Hi,
Currently wolfSSL embedded SSL doesn't have the ability to generate a CSR. We have had a few inquiries recently about CSR generation though. Are you able to share any details about the project you are working on?
Thanks,
Chris
Hi Chris
Thanks for your prompt response.
We need an ability to generate CSR and send it to our CA to generate the certificate. We've been trialling the wolfSSL and it works well for everything else.
Many thanks
UPDATE:
Currently wolfSSL embedded SSL doesn't have the ability to generate a CSR. We have had a few inquiries recently about CSR generation though. Are you able to share any details about the project you are working on?
wolfSSL has CSR support and our manual is in the process of being updated! The new section will follow section 7.8 in chapter 7 of the wolfSSL manual which talks about Certificate Generation in wolfSSL. Please find the first content draft below:
7.9 Certificate Signing Request (CSR) Generation
wolfSSL supports X.509 v3 certificate signing request (CSR) generation. CSR generation is off by default but can be turned on during the ./configure process with:--enable-certreq --enable-certgen
or by defining WOLFSSL_CERT_GEN and WOLFSSL_CERT_REQ in Windows or non-standard environments.
Before a CSR can be generated the user needs to provide information about the subject of the certificate. This information is contained in a structure from wolfssl/wolfcrypt/asn_public.h named Cert:
For details on the Cert and CertName structures please reference section “7.8 Certificate Generation” above.
Before filling in the subject information an initialization function needs to be called like this:
Cert request;
InitCert(&request);InitCert() sets defaults for some of the variables including setting the version to 3 (0x02), the serial number to 0 (randomly generated), the sigType to CTC_SHAwRSA, the daysValid to 500, and selfSigned to 1 (TRUE). Supported signature types include:
CTC_SHAwDSA
CTC_MD2wRSA
CTC_MD5wRSA
CTC_SHAwRSA
CTC_SHAwECDSA
CTC_SHA256wRSA
CTC_SHA256wECDSA
CTC_SHA384wRSA
CTC_SHA384wECDSA
CTC_SHA512wRSA
CTC_SHA512wECDSANow the user can initialize the subject information like this example from https://github.com/wolfSSL/wolfssl-exam … example.c:
strncpy(req.subject.country, "US", CTC_NAME_SIZE);
strncpy(req.subject.state, "OR", CTC_NAME_SIZE);
strncpy(req.subject.locality, "Portland", CTC_NAME_SIZE);
strncpy(req.subject.org, "wolfSSL", CTC_NAME_SIZE);
strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
strncpy(req.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
strncpy(req.subject.email, "info@wolfssl.com", CTC_NAME_SIZE);Then, a valid signed CSR can be generated using the variable key from the above key generation example (of course any valid ECC/RSA key or RNG can be used):
byte der[4096]; /* Store request in der format once made */
ret = wc_MakeCertReq(&request, der, sizeof(der), NULL, &key);
/* check ret value for error handling, <= 0 indicates a failure */Next you will want to sign your request making it valid, use the rng variable from the above key generation example. (of course any valid ECC/RSA key or RNG can be used)
derSz = ret;
req.sigType = CTC_SHA256wECDSA;
ret = wc_SignCert(request.bodySz, request.sigType, der, sizeof(der), NULL, &key, &rng);
/* check ret value for error handling, <= 0 indicates a failure */Lastly it is time to convert the CSR to PEM format for sending to a CA authority to use in issueing a certificate:
ret = wc_DerToPem(der, derSz, pem, sizeof(pem), CERTREQ_TYPE);
/* check ret value for error handling, <= 0 indicates a failure */
printf("%s", pem); /* or write to a file */Limitations:
There are fields that are mandatory in a certificate that are excluded in a CSR. There are other fields in a CSR that are also deemed “optional” that are otherwise mandatory when in a certificate. Because of this the wolfSSL certificate parsing engine, which strictly checks all certificate fields AND considers all fields mandatory, does not support consuming a CSR at this time. Therefore while CSR generation AND certificate generation from scratch are supported, wolfSSL does not support certificate generation FROM a CSR. Passing in a CSR to the wolfSSL parsing engine will return a failure at this time. Check back for updates once we support consuming a CSR for use in certificate generation!See also:
7.8 Certificate Generation
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.021 seconds (91% PHP - 9% DB) with 10 queries