Skip to main content

KOBIL Shift internal Issuer CA

KOBIL Shift internal Issuer CA

Note: Please always refer to the KOBIL Shift Chart README for updates.

An issuer CA certificate and private key must be generated for each shift deployment. The private key cannot be changed afterwards. Generate the issuer CA according to the following instructions.

  • The key must be in PKCS#8 format. Both, the CA certificate and key must be DER-encoded
  • The CA's key pair must be of one of the supported algorithms:
    • RSA with >= 2048 bit keys
    • ECDSA with one of the supported curves:
      • secp256r1 (or P-256), secp384r1 (or P-384), secp521r1 (or P-521)
    • Ed25519
  • It is recommended to use the same key algorithm that is configured for the signer CAs through ca.signers.key_generation.algorithm (default ecdsa) also for the issuer CA. The curve parameter (for ECDSA) or the strength parameter (for RSA) may differ for the CA to provide additional security.
  • The CA must have the Basic Constraints extension with cA=True and pathLen unset or >= 1. The extension must be marked as critical.
  • The CA must have the Key Usage extension with at least the bits for keyCertSign and cRLSign set. The extension must be marked as critical. Other usage bits should not be set.
  • The CA must have the Certificate Policies extension with at least the following policies set (alternatively, the extension may specify anyPolicy). The extension should not be marked critical.
    • 1.3.6.1.4.1.14481.109.1.0 (profile LEAF_CA)
    • 1.3.6.1.4.1.14481.109.1.1 (profile SIGNATURE)
    • 1.3.6.1.4.1.14481.109.1.2 (profile AUTHENTICATION)
    • 1.3.6.1.4.1.14481.109.1.3 (profile ENCRYPTION)
    • 1.3.6.1.4.1.14481.109.1.4 (profile AST_DEVICE)
    • 1.3.6.1.4.1.14481.109.1.5 (profile TLS_SERVER)
    • 1.3.6.1.4.1.14481.109.1.6 (profile SIGNATURE_GATEWAY)
    • 1.3.6.1.4.1.14481.109.1.7 (profile AUTHENTICATION_GATEWAY)
    • 1.3.6.1.4.1.14481.109.1.8 (profile ENCRYPTION_GATEWAY)
  • The CA may have the Extended Key Usage extension with the id_kp_OCSPSigning key purpose set. Other key purpose IDs should not be set.
  • Other extensions should not be present.

Below is a simple example to generate a self signed issuer CA using OpenSSL:

  • Create file openssl.cnf with the following content

    [req]
    default_bits = 4096
    encrypt_key  = no
    default_md   = sha512
    prompt       = no
    utf8         = yes
    x509_extensions = v3_req
    distinguished_name = req_distinguished_name

    # Adjust below values as required
    [req_distinguished_name]
    C  = DE
    ST = Rheinland-Pfalz
    L  = Worms
    O  = KOBIL GmbH
    CN = KOBIL Shift Issuer CA

    [v3_req]
    basicConstraints = critical, CA:TRUE, pathlen:1
    keyUsage = critical, keyCertSign, cRLSign
    # explicit policies
    certificatePolicies = 1.3.6.1.4.1.14481.109.1.0, 1.3.6.1.4.1.14481.109.1.1, 1.3.6.1.4.1.14481.109.1.2, 1.3.6.1.4.1.14481.109.1.3, 1.3.6.1.4.1.14481.109.1.4, 1.3.6.1.4.1.14481.109.1.5, 1.3.6.1.4.1.14481.109.1.6, 1.3.6.1.4.1.14481.109.1.7, 1.3.6.1.4.1.14481.109.1.8
    # or alternatively anyPolicy
    # certificatePolicies = 2.5.29.32.0

  • Create an ECDSA key-pair for curve P-521, convert it to PKCS#8 format, and store it in file key.der.

    openssl ecparam -name P-521 -genkey -noout -outform DER | openssl pkcs8 -inform DER -topk8 -nocrypt -outform DER -out key.der

  • Create a self-signed certificate with a validity of 10 years for the public key generated in the previous step and store it in file cert.der.

    openssl req -nodes -x509 -days 3650 -config openssl.cnf -key key.der -keyform DER -out cert.der -outform DER

  • Base64 encode key and certificate. The content of resulting files key.b64 and cert.b64 can be added to values common.ast.issuer.key and common.ast.issuer.certs, respectively.

    openssl enc -a -A -in key.der -out key.b64
    openssl enc -a -A -in cert.der -out cert.b64