BaseTools/Source/Python/Pkcs7Sign/Readme.md

   1 # Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure
   2
   3 This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates.
   4
   5 ## How to generate a self-signed X.509 certificate chain via OPENSSL
   6 * Set OPENSSL environment.
   7
   8 NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.
   9
  10     set OPENSSL_HOME=c:\home\openssl\openssl-[version]
  11     set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
  12
  13 When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).
  14
  15 The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.
  16
  17     [ CA_default ]
  18         dir = ./demoCA              # Where everything is kept
  19
  20 You may need the following steps for initialization:
  21
  22     rd ./demoCA /S/Q
  23     mkdir ./demoCA
  24     echo "" > ./demoCA/index.txt
  25     echo 01 > ./demoCA/serial
  26     mkdir ./demoCA/newcerts
  27
  28 * Generate the certificate chain:
  29
  30 NOTE: User MUST set a UNIQUE "Common Name" on the different certificate
  31
  32 1) Generate the Root Pair:
  33
  34 Generate a root key:
  35
  36     openssl genrsa -aes256 -out TestRoot.key 2048
  37
  38 Generate a self-signed root certificate:
  39
  40     openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
  41     openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
  42     openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem
  43
  44 2) Generate the Intermediate Pair:
  45
  46 Generate the intermediate key:
  47
  48     openssl genrsa -aes256 -out TestSub.key 2048
  49
  50 Generate the intermediate certificate:
  51
  52     openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
  53     openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
  54     openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
  55     openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem
  56
  57 3) Generate User Key Pair for Data Signing:
  58
  59 Generate User key:
  60
  61     openssl genrsa -aes256 -out TestCert.key 2048
  62
  63 Generate User certificate:
  64
  65     openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
  66     openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`
  67     openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
  68     openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem
  69
  70 Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample.
  71
  72     openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt
  73     openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
  74
  75 * Verify Data Signing & Verification with new X.509 Certificate Chain
  76
  77 1) Sign a Binary File to generate a detached PKCS7 signature:
  78
  79     openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
  80
  81 2) Verify PKCS7 Signature of a Binary File:
  82
  83     openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin
  84