Where can I get a certification body from

Where can I get data for installing an SSL certificate? Certificate extension for certificates with the public key cer

x.509 v3 certificate also enables the definition of private extensions.

Each extension in a certificate can be either critical or non-critical. A system that uses certificates must reject the certificate if it encounters a critical extension that it cannot recognize. However, non-critical extensions can be ignored if they are not recognized. Note the recommended Internet certificate extensions. Additional extensions can be used. However, you should carefully install all critical extensions in the certificates, as this can affect the validation of the certificates.

Each extension must have a corresponding OID and is defined by an ASN.1 structure. When the extension is shown in the certificate, the OID is shown as the extnID field and the corresponding ASN.1 presentation structure is the value of the extnValue octet string. A certificate should not contain more than one instance of a particular extension. For example, a certificate can only contain an extension for a key identifier of an authorized agency. The extension contains a Boolean criticality value with the default value FALSE. Valid values ​​for the criticality field must be defined for each extension.

Certificate authorities must support key identifier extensions, key key usage restrictions, and certificate policies. If the CA issued certificates with an empty sequence for the subject field, the CA must provide the alternate subject extension. Support for the remaining extensions is optional. Certification authorities may support extensions that are not defined by the current standard. Certification authorities should be aware that extensions marked as critical can affect interoperability.

At least the following extensions should be recognized: Key Usage, Certificate Policies, Alternate Name Subject, Basic Restrictions, Name Restrictions, Extended Key Usage, and Arbitrary Policy Prohibition.

The extension of the certification authority key identifier and the subject, as well as the extension of the policy indicator can also be recognized.

Standard extensions

Take into account the standard certificate extensions defined in the X.509 standard. Each extension has a specific OID. These OIDs are ID elements of a set that is defined as follows:

id-ce OBJECT IDENTIFIER :: \ u003d (Joint-Iso-Ccitt (2) ds (5) 29)

Key identifier of the certification authority

The Certificate Authority Key Identifier extension provides a way to identify the public key that corresponds to the private key that was used to sign the certificate. This extension is used when the issuer has multiple keys to sign. The identification can be based either on the key identifier (subject key identifier in the issuing certificate) or on the issuing name and serial number.

The keyIdentifier field of the AuthorityKeyIdentifier extension must be included in all certificates issued by the certification authority in order for it to be created on the certification path. There is one exception: if a certification authority distributes its public key in the self-signed certificate form, the key identifier of the authorized authority can be omitted. Signature for self-signed certificate created by the private key that corresponds to the public key of the subject. This proves that the issuer has both a public and a private key. In this case, the subject and authorized body IDs should be the same, and the key ID can only be specified for the subject's public key.

The keyIdentifier field value must be obtained from the public key used to verify the signature of the certificate or from a method that creates unique values. Consider two methods of creating key identifiers from a public key and one method of creating unique values ​​for keyIdentifier. If the key ID has not been predefined, it is recommended that you use one of these methods to create key IDs. If the key identifier was predefined, the certification authority must use a predefined identifier.

This extension should not be flagged as critical.

id-ce-AuthorityKeyIdentifier OBJECT IDENTIFIER :: \ u003d (id-ce 35) AuthorityKeyIdentifier :: \ u003d SEQUENCE (keyIdentifier KeyIdentifier OPTIONAL, AuthorityCertIssuer GeneralNames OPTIONAL, AuthorityCertSerialNumber CertificateSerialNumber OPTIONAL ::. \ u003dentifier OCTAL ::. \ u003dentifier OCT

Subject key ID

Subject Key ID Extension provides a method of identifying a certificate that contains a specific public key.

To simplify the creation of the certification path, this extension should be included in all CA certificates, i.e. H. in all certificates in which the value of CA is TRUE. The value of the key identifier of the subject must be the value specified in the Key identifier field of the certification center that issued the certificate for this subject.

For CA certificates, subject key identifiers must be obtained from the public key or some method that creates unique values. There are two methods of creating key identifiers from a public key:

  1. keyIdentifier is retrieved from the 160-bit hash SHA-1 of the bit of the subjectPublicKey bit sequence (without tag, length and unused bits).
  2. keyIdentifier is obtained from four bits of a type field with a value of 0100 after the lower 60 bits of the SHA-1 hash of the bit for the bit sequence subjectPublicKey (without tag, length and unused bits).

The method of creating unique values ​​is to use monotonically increasing sequences of integers.

For end-entity certificates, the Subject Key ID Extension provides methods of identifying certificates that contain the specific public key used in the application. If the end entity receives several certificates, possibly from several certification authorities, the subject key identifier provides a means of quickly searching for a specific public key that is contained in several certificates. In order for applications to identify the appropriate end-user certificate, this extension should be included in all end-user certificates.

This extension should not be marked as critical.

id-ce-subjectKeyIdentifier OBJECT IDENTIFIER :: \ u003d (id-ce 14) SubjectKeyIdentifier :: \ u003d KeyIdentifier

I've talked about unobvious causes of failure. "Keyset does not exist" and methods of dealing with it. It was about access rights to the certificate's private key file. Continuation of the theme of strange posts CryptoapiI want to talk about a no less mysterious mistake - "Bad key".

Bad key
The text of the error message that occurs when you try to decrypt the data is striking in its brevity - you can accept anything. It doesn't matter which decryption tool you used: native function Cryptdecrypt from the library Cryptoapior method Decrypt class RSACryptoServiceProvider from the namespace System.Security.Cryptography. In fact, this error means with a high probability that the certificate used is not intended for the data exchange.

This problem is most common with utility-generated test certificates. makecert.exeand applied by quality control. But it also happens that the customer falls into this trap. If the application requires a certificate for encryption / decryption, all you have to do is offer to use it only signs Certificate to see complaints Cryptoapi on the "bad key". Unfortunately, this problem has only one solution: you need to generate or purchase the correct certificate.
Any certificate X.509 contains the following fields and extensions that describe the purpose of the certificate:

  • Key specification of the subject - Property of the private key, can have the values ​​1 ( AT_KEYEXCHANGE - Key for encryption and signature) or 2 ( AT_SIGNATURE - key is only used for signature);
  • Key usage - Certificate extension X.509 v3;; The value is a bit mask, each bit of which defines a specific purpose. For example, if bit 2 is set, it is determined that the certificate can be used in the key exchange procedure.
  • Extended key usage - Certificate extension X.509 v3;; Is a sentence Object identifier`s ( Oid) Definition of additional purposes of the certificate; B. Add Oid`a specifies that the certificate can be used to authenticate clients.
It is noteworthy that all of the above properties and extensions are essentially independent of each other. They can appear in the certificate in various combinations and even contradict each other. Fortunately, such certificates - with contradicting nomination declarations - are flawed. There is a good article on the Technet website specifically describing how to compare different specifications for the purpose of a certificate of consistency: http://technet.microsoft.com/en-us/library/dd277392.aspx.

Why do you need so many certificate assignment declarations? Everything is very simple. It's not hard to notice that each explanation that follows expands on the previous one. When a Key specification then only sets 2 assignments Key usage already 8 while Extended key usage not limited from above at all. Therefore, each application selects the field for review that most closely matches its goals. If the purpose of the certificate does not meet the requirements of the application, it should refuse use and report an error. That is, in the general case, such a test lies with the application itself.

Unfortunately, the documentation doesn't mention which usage specifications apply Cryptoapi automatically checks whether it even does it. However, there is at least one exception to this rule: validation Key specification carried out automatically. And that's why it happens. In contrast to extensions Key usage and Extended key usagewhich are essentially only declarations of intent, Key specification Defines the algorithm used with the certificate key. Therefore, an attempt to apply a key to generate a digital signature for encryption / decryption operations will fail Bad key.

In conclusion, I'll give an example of a command that you can use to generate a test certificate that can be used for encryption operations.

An electronic digital signature consists of a number of special characters for:

  • Control over the integrity of information and data transmitted in electronic documents
  • Securing information from interception and unauthorized use
  • The ability to identify the author and sender of the document

In order to be able to use the certificate of a key for the electronic signature for the intended purpose - as a legally important requirement for an electronic document - you must install an EDS certificate on a computer or computers on which it is connected to electronic documents and directly to an electronic Signature works.

Public and private keys

It needs to be made clear that every digital signature consists of two types of keys - a private key, also known as a key container. This is because a document is signed and encrypted with a public key or simply a personal certificate.

A personal certificate presented in the form of files with the .cer extension. Here you can view all information about the owner of the electronic signature. Such a public key is required to check the authenticity of documents. It is possible and required to install an EDS public key certificate on all computers that receive electronic correspondence.

The private key contains six files, each with a .key extension. If this folder is lost or damaged, the private key will not work and you will need to contact the certification authority to reissue the electronic signature certificate.

Digital signature storage

EDS keys are usually stored on special key media. Conventional magnetic floppy disks have previously been used for this purpose. However, time has shown that they are unreliable and fragile. Therefore, certified media such as RuToken are increasingly used today. Rutoken is protected by a special password so that access to the information it contains is only granted directly to the certificate holder who knows this code.

Installation of a certificate for digital signatures

To install the EDS certificate on your computer, the user must switch to the Control Panel tab in the CryptoPro program, select the tab under the name Service and then click on Show certificates in the container. In the window that appears, select the Browse button and select the certificate you want to add. Click on Continue. A Certificate pop-up tab appears in the Properties window. Click Install Certificate.

Then the wizard for importing certificates is displayed in front of the user. Select the "Place" value and select the certificates and storage for them. If everything went correctly, a window should appear in front of the user stating that the certificate was successfully installed.

You can see all prices for electronic signatures

in the section.

The CryptoPro CSP application is used to install a personal certificate with a link to the private key. You can run it on Windows by running Start \ u003e \ u003e All Programs \ u003e \ u003e Crypto-PRO \ u003e \ u003e CryptoPro CSP. In the application window that appears, select the tab service and then click on the button Install a personal certificate. Next, specify the location of the certificate file (file with the extension .cer) and click on Further . A window showing the certificate properties allows you to verify that the correct certificate is selected. After checking, press the button again Further .

In the next window you have to specify the key container that contains the user's private keys.

IMPORTANT! Only removable USB sticks or smart cards and the operating system registry are used in this step.

With the application CryptoPRO CSP Version 3.9 you can find a container automatically by setting a corresponding flag. earlier versions after clicking a button overview Provide a list of available media from which you want to choose the one you want. After selecting a container, click Further . In the next window you can set the certificate installation parameters in the repository. After selecting the storage you want, click the button Further .

The next step is final and does not require any action other than pressing a key Done .