1

It it possible to insert a list of ct certificate timestamps in the my own certificate created in by internal CA using openssl configuration file. I didnt find any information about ASN.1 sequence describing how to insert SCTs extension into openssl.cnf file.

For example: 

CT Precertificate SCTs: 
                Signed Certificate Timestamp: 
                    Version   : v1(0) 
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A: 
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10 
                    Timestamp : Nov 13 16:57:03.632 2014 GMT 
                    Extensions: none 
                    Signature : ecdsa-with-SHA256 
                                30:45:02:20:06:14:6A:E3:6D:0F:84:5D:6A:98:E7:29: 
                                94:80:8B:F2:A4:23:85:68:4E:F9:BC:50:7C:FF:7B:94: 
                                EB:20:54:82:02:21:00:91:63:83:FD:F6:31:5E:38:08: 
                                AF:A7:5E:00:B7:0B:9B:1F:8B:FD:4D:7E:49:3C:43:E6: 
                                64:E5:4B:F9:60:D7:89 
                Signed Certificate Timestamp: 
                    Version   : v1(0) 
                    Log ID    : 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC: 
                                71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4 
                    Timestamp : Nov 13 16:57:03.619 2014 GMT 
                    Extensions: none 
                    Signature : ecdsa-with-SHA256 
                                30:45:02:20:61:4F:69:89:80:6A:62:2D:8E:A2:D0:24: 
                                A5:E2:1D:74:67:51:77:C1:9B:DE:99:DE:16:56:2B:02: 
                                77:A8:25:49:02:21:00:D3:41:6C:5D:88:40:F0:7A:FE: 
                                E0:25:09:86:71:63:86:49:54:DD:96:E4:B5:9B:4A:84: 
                                65:A9:25:12:F1:B7:E0

Is it possible at all?

Marko Farkas
  • 11
  • 1
  • 1
    See the man page for x509v3_config on your system [or on the web](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html) under the heading 'Arbitrary Extensions' and its link to ASN1_generate_nconf. It's too much like work for me write out a full answer :-( – dave_thompson_085 Jul 06 '17 at 04:21

1 Answers1

2

RFC 6962 describes (pretty hidden) that:

by encoding the SignedCertificateTimestampList structure as an ASN.1 OCTET STRING and inserting the resulting data in the TBSCertificate as an X.509v3 certificate extension (OID 1.3.6.1.4.1.11129.2.4.2).

(OID-ref here.)

Community
  • 1
eckes
  • 962
  • 8
  • 19
  • Although that top-level structure (OID + OCTET STRING) is the same for all extensions and OpenSSL does it automatically; the harder part is the structure _inside_ the OCTET STRING. – dave_thompson_085 Jul 06 '17 at 04:22
  • @dave_thompson_085: RFC writes [*"SerializedSCT" is an opaque byte string that contains the serialized TLS structure*](https://tools.ietf.org/html/rfc6962#page-14) -- whatever that means. Found a good breakdown [on the "Pierky" blog](https://blog.pierky.com/certificate-transparency-manually-verify-sct-with-openssl/). – StackzOfZtuff Jul 06 '17 at 11:34
  • The structure of SignedCertificateTimestamoList is described in the RFC, it seems you even quoted them in the question. – eckes Jul 07 '17 at 10:37