1# BBTC X.509 certificates generation 2 3--- 4 5TCAT uses X.509 Certificate Extensions to provide permissions with certificates. 6 7## Extensions 8 9Extensions were introduced in version 3 of the X.509 standard for certificates. They allow certificates to be customised to applications by supporting the addition of arbitrary fields in the certificate. Each extension, identified by its OID (Object Identifier), is marked as "Critical" or "Non-Critical", and includes the extension-specific data. 10 11## Certificates generation 12 13Thread uses Elliptic Curve Cryptography (ECC), so we use the `ecparam` `openssl` argument to generate the keys. 14 15### Root certificate 16 171. Generate the private key: 18 19``` 20openssl ecparam -genkey -name prime256v1 -out ca_key.pem 21``` 22 231. We can then generate the **.csr** (certificate signing request) file, which will contain all the parameters of our final certificate: 24 25``` 26openssl req -new -sha256 -key ca_key.pem -out ca.csr 27``` 28 291. Finally, we can generate the certificate itself: 30 31``` 32openssl req -x509 -sha256 -days 365 -key ca_key.pem -in ca.csr -out ca_cert.pem 33``` 34 351. See the generated certificate using 36 37``` 38openssl x509 -in ca_cert.pem -text -noout 39``` 40 41### Commissioner (client) certificate 42 431. Generate the key: 44 45``` 46openssl ecparam -genkey -name prime256v1 -out commissioner_key.pem 47``` 48 491. Specify additional extensions when generating the .csr (see [sample configuration](#Configurations)): 50 51``` 52openssl req -new -sha256 -key commissioner_key.pem -out commissioner.csr -config commissioner.cnf 53``` 54 551. Generate the certificate: 56 57``` 58openssl x509 -req -in commissioner.csr -CA ca_cert.pem -CAkey ca_key.pem -out commissioner_cert.pem -days 365 -sha256 -copy_extensions copy 59``` 60 611. View the generated certificate using: 62 63``` 64openssl x509 -in commissioner_cert.pem -text -noout 65``` 66 671. View parsed certificate extensions using: 68 69``` 70openssl asn1parse -inform PEM -in commissioner_cert.pem 71``` 72 73## Configurations 74 75file: `commissioner.cnf` (line `1.3.6.1.4.1.44970.3 = DER:21:01:01:01:01` specifies permissions (all)) 76 77``` 78[ req ] 79default_bits = 2048 80distinguished_name = req_distinguished_name 81prompt = no 82req_extensions = v3_req 83 84[ req_distinguished_name ] 85CN = Commissioner 86 87[v3_req] 881.3.6.1.4.1.44970.3 = DER:21:01:01:01:01 89authorityKeyIdentifier = none 90subjectKeyIdentifier = none 91``` 92