Hello,
we are considering the case where a third party, not owning any of the SRK keys already generated for the HABv4 PKI tree , should generate its own IMG keypair , asks us to sign the public part or certificate by one of the 4 SRK private keys ( we can't give them any SRK private keys ), and then we return the signed IMG public key certificate to them.
In the end we can't give them the SRK private key, and we can't know their IMG private key.
How should we sign the IMG additional key ( public, certificate ) ? Should they send us the CSR ( Certificate Signing Request ) ?
I can see on the add_key.sh script that actual signing is involved when generating the certificate :
# Generate certificate
openssl ca -batch -passin file:./key_pass.txt \
-md ${md} -outdir ./ \
-in ./${key_fullname}_req.pem \
-cert ${signing_crt} \
-keyfile ${signing_key} \
-extfile ../ca/v3_${ca}.cnf \
-out ../crts/${key_fullname}_crt.pem \
-days ${val_period} \
-config ../ca/openssl.cnf
how is best to proceed when third party doesn't want us to see their private key and we can't give them SRK private key ? Should they send us CSR request or are there any other option to directly sign X509 certificate that includes only the public key ?
Of course at the final step of the process we'd give the SRK binary map ( public ) so that they can sign the final content by using their private IMG key an CST tool.
thank you
Solved! Go to Solution.
Hey, I think I found everything needed. I'll do some tests to verify it works.
CSR request is to be signed by SRK key chosen, or by all of the 4 SRK keys, producing 4 certificates in this latter case.
CSR request can be generated by third party not knowing private SRK keys.
CSR request can be signed by us, producing certificate for public key by SRK private key.
Resulting certificate can be sent back to third party in conjunction with SRK public keys map. Third party then can produce signed images by CST tool.
Hey, I think I found everything needed. I'll do some tests to verify it works.
CSR request is to be signed by SRK key chosen, or by all of the 4 SRK keys, producing 4 certificates in this latter case.
CSR request can be generated by third party not knowing private SRK keys.
CSR request can be signed by us, producing certificate for public key by SRK private key.
Resulting certificate can be sent back to third party in conjunction with SRK public keys map. Third party then can produce signed images by CST tool.