-------------------------------------------------------------------------------- | |
File: ChainCreationInstructions.txt | |
Description: This folder contains INI files that are required to generate | |
the following test cert chains. Certs will be copied onto the | |
file system AND MY store when they are generated by certreq.exe. | |
Note that typically certreq.exe operates on INF files, but in this folder | |
we use INI files so that our build system does not complain about INF's being | |
in the tree, but not in the CryptoPkg.dsc file. | |
To create your own certificates and signatures for testing, this file demonstrates | |
how the test certificate chains and signatures were created. | |
To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in | |
your path). You can then use your favorite BinaryToHex converter to convert | |
the binary into a byte array that you can include in unit tests. | |
Copyright (C) Microsoft Corporation. All Rights Reserved. | |
-------------------------------------------------------------------------------- | |
Cert Chain: | |
------------------------------------------ | |
| | // Root of trust. ECDSA P521 curve | |
| TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE | |
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE | |
------------------------------------------ | |
^ | |
| | |
------------------------------------------ | |
| | // Issues subordinate CAs. ECC P384 curve. | |
| TestEKUParsingPolicyCA | // SHA 256 Key Usage: | |
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE | |
------------------------------------------ | |
^ | |
| | |
------------------------------------------ | |
| | // Issues end-entity (leaf) signers. ECC P256 curve. | |
| TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE | |
| | // Enhanced Key Usage: | |
------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) | |
^ | |
| | |
-------------------------------------- | |
/ / // Leaf signer, ECC P256 curve. | |
/ TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE | |
/ / // Enhanced Key usages: | |
-------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) | |
// 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. | |
--------------------------------------------------------------------------------- | |
--- files required --- | |
TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live. | |
TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints. | |
TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs. | |
TestEKUParsingLeafSigner.ini - End-Entity leaf signer. | |
TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345. | |
TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified. | |
TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints. | |
--- Commands to execute --- | |
certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer | |
certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer | |
certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer | |
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer | |
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer | |
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer | |
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer | |
--------------------------------------------------------------------------------- | |
Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below. | |
Note: You should see a little key on the top left of each cert icon, which means you have the private key | |
for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks, | |
export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible. | |
If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has | |
an Export-PfxCertificate command. | |
Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot | |
TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA | |
TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA | |
TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner | |
TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345 | |
TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner | |