Template help - policyIdentifiers #907

shane64 · 2022-04-21T04:34:11Z

shane64
Apr 21, 2022

Hello,

I’m having a difficult time figuring out how to use the templates to create a Certificate Policy Statement URL like I’d do with an openSSL config file as follows:

certificatePolicies = @cps_info

[ cps_info ]
policyIdentifier = 2.5.29.32.0
CPS.1 = “http://ca.example.org/CPS”

I’ve used:

"policyIdentifiers" : [ "2.5.29.32.0" ]

in the template file to get the first one but I can’t figure out how to get the CPS.1 element in there. Any assistance would be greatly appreciated.

Thank you.

Answered by maraino

Apr 21, 2022

Hi @shane64, because Go's x509.Certificate doesn't allow to add CPSs the only way to do it is by encoding the extension manually. In that case, it would be adding something like:

{
  "...": "...",
  "extensions": [
    {"id": "2.5.29.32", "value": "MDcwNQYEVR0gADAtMCsGCCsGAQUFBwIBFh/igJxodHRwOi8vY2EuZXhhbXBsZS5vcmcvQ1BT4oCd"}
  ]
}

That is the base64 of the information encoded in the extension.

0000 - 30 37 30 35 06 04 55 1d-20 00 30 2d 30 2b 06 08   0705..U. .0-0+..
0010 - 2b 06 01 05 05 07 02 01-16 1f e2 80 9c 68 74 74   +............htt
0020 - 70 3a 2f 2f 63 61 2e 65-78 61 6d 70 6c 65 2e 6f   p://ca.example.o
0030 - 72 67 2f 43 50 53 e2 80-9d                        rg/CPS...

One way t…

View full answer

maraino · 2022-04-21T18:12:28Z

maraino
Apr 21, 2022
Maintainer

Hi @shane64, because Go's x509.Certificate doesn't allow to add CPSs the only way to do it is by encoding the extension manually. In that case, it would be adding something like:

{
  "...": "...",
  "extensions": [
    {"id": "2.5.29.32", "value": "MDcwNQYEVR0gADAtMCsGCCsGAQUFBwIBFh/igJxodHRwOi8vY2EuZXhhbXBsZS5vcmcvQ1BT4oCd"}
  ]
}

That is the base64 of the information encoded in the extension.

0000 - 30 37 30 35 06 04 55 1d-20 00 30 2d 30 2b 06 08   0705..U. .0-0+..
0010 - 2b 06 01 05 05 07 02 01-16 1f e2 80 9c 68 74 74   +............htt
0020 - 70 3a 2f 2f 63 61 2e 65-78 61 6d 70 6c 65 2e 6f   p://ca.example.o
0030 - 72 67 2f 43 50 53 e2 80-9d                        rg/CPS...

One way to do it is to use OpenSSL first and see the raw extension using openssl asn1parse -in cert.crt

Programatically and in Go, you can do it by creating the appropriate struct with the necessary tags following RFC5280 4.2.1.4 and using ans1.Marshal() on that, but we do not have a way yet to do something like that using templates.

2 replies

shane64 Apr 21, 2022
Author

Thank you! That filled in the blanks for me. Create the extension in OpenSSL the way I want it, obtain the hex from the raw extension using openssl asn1parse, convert the raw hex to base 64 encoding and then use the extensions construct in the step-ca template. The last piece I was a bit confused with what what to put in for the "id" but openSSL appears to have an embedded list of OIDs mapped to extension names that fills in that last blank for me (though you had already correctly filled in the one for the X509v3 Certificate Policies extension).

Thanks again!

gwe32 Mar 4, 2025

Since v0.24.0 it is also possible to use the ASN.1 template functions:

{
    "...": "...",
    "extensions": [
        {
            "id": "2.5.29.32",
            "value": {{ asn1Seq (asn1Seq (asn1Enc "oid:2.5.29.32.0") (asn1Seq (asn1Seq (asn1Enc "oid:1.3.6.1.5.5.7.2.1") (asn1Enc "ia5:http://ca.example.org/CPS")))) | toJson }}
        }
    ]
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Template help - policyIdentifiers #907

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Template help - policyIdentifiers #907

shane64 Apr 21, 2022

Replies: 1 comment · 2 replies

maraino Apr 21, 2022 Maintainer

shane64 Apr 21, 2022 Author

gwe32 Mar 4, 2025

shane64
Apr 21, 2022

Replies: 1 comment 2 replies

maraino
Apr 21, 2022
Maintainer

shane64 Apr 21, 2022
Author