TCAT uses X.509 Certificate Extensions to provide permissions with certificates.
Extensions were introduced in version 3 of the X.509 standard for certificates. They allow certificates to be customised to applications by supporting the addition of arbitrary fields in the certificate. Each extension, identified by its OID (Object Identifier), is marked as “Critical” or “Non-Critical”, and includes the extension-specific data.
Thread uses Elliptic Curve Cryptography (ECC), so we use the ecparam
openssl
argument to generate the keys.
openssl ecparam -genkey -name prime256v1 -out ca_key.pem
openssl req -new -sha256 -key ca_key.pem -out ca.csr
openssl req -x509 -sha256 -days 365 -key ca_key.pem -in ca.csr -out ca_cert.pem
openssl x509 -in ca_cert.pem -text -noout
openssl ecparam -genkey -name prime256v1 -out commissioner_key.pem
openssl req -new -sha256 -key commissioner_key.pem -out commissioner.csr -config commissioner.cnf
openssl x509 -req -in commissioner.csr -CA ca_cert.pem -CAkey ca_key.pem -out commissioner_cert.pem -days 365 -sha256 -copy_extensions copy
openssl x509 -in commissioner_cert.pem -text -noout
openssl asn1parse -inform PEM -in commissioner_cert.pem
file: commissioner.cnf
(line 1.3.6.1.4.1.44970.3 = DER:21:01:01:01:01
specifies permissions (all))
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no req_extensions = v3_req [ req_distinguished_name ] CN = Commissioner [v3_req] 1.3.6.1.4.1.44970.3 = DER:21:01:01:01:01 authorityKeyIdentifier = none subjectKeyIdentifier = none