您的位置: 首页  >  文章  >  How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

分类: 文章 2024-05-18 12:48:10

Published on March 28, 2016

 

TranslateChinese SimplifiedChinese TraditionalEnglishFrenchGermanItalianPortugueseRussianSpanishTurkish

Translate

Prerequisites:

If you don’t have OpenSSL installed, an installable version of it is available here:  http://slproweb.com/products/Win32OpenSSL.html.  Choose either 32 or 64 bit depending on your OS. Install OpenSSL using the default settings.

Create certificates for TLS authentication:

Step 1: The following instructions creates the certificates in folder c:\demo. So go ahead and create this folder on your machine. Then start a command-line prompt (cmd.exe), and go to the demo folder (type: cd \demo). Before you start OpenSSL, you need to set the environment variable shown below:

set RANDFILE=c:\demo\.rnd

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 2: To create a self signed certificate for TLS authentication, you must create a file named client.cnfin c:\demo folder with the following information:

[ ssl_client ]
keyUsage = digitalSignature, keyEncipherment, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
extendedKeyUsage = clientAuth, serverAuth

Step 3: Now you can start OpenSSL, type: c:\OpenSSL-Win64\bin\openssl.exe:

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 4: First we have to create a private key:

genrsa -out client.key 2048

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 5: Now create the certificate request. When creating this request, enter all of the required name information that you would like to see in the certificate that is being generated. Common Name is one field that is required:

req -key client.key -new -out client.req

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 6: The next step is to create a certificate using the extensions defined in client.cnf file and the certificate request client.req:

x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 7: Now that you have the required certificate (client.crt) and key (client.key) to perform TLS authentication, create a pfx file to carry the certificate and private key to a different machine, use the command below:

pkcs12 -export -out client.pfx -inkey client.key -in client.crt

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 8: The final step to verify that your certificate passes the openssl verification, run the following command and the result returns OK:

verify –x509_strict –purpose sslclient -CAfile client.crt client.crt

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Step 9: Final file contents in C:\demo folder 

How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL

 

Related resources:

Certificate Requirements for Intel® Attestation Services

相关推荐