-
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to create the certificate file? #7
Comments
If the procedure to get the certificate file can be automated, it would be possible to test all the services listed in README.rst to verify they are currently working. |
I used the following to generate a tsr with a more complete certificate chain. The CertificateSet section of the timestamp info is completely optional, so the TSA doesn't have to provide any certs at all.
Then I used asn1parse to identify different certificates in the DER-encoded file; per the spec, if certificates appear, they will be in a [0] tagged d=4 block after the tst info (notably, there will be a big octet string object of type id-smime-ct-tstinfo before it). I extracted each byte sequence in that block into its own cert.der file. Skip is from the number before the colon (should be a cons: SEQUENCE at d=5), count is hl+l.
There may be more than 2 certs in the container, just extract them all. This can probably be automated with pyasn1, but I don't know how. One of these will have the x509v3 extended usage Time Stamping (id-kp-timeStamping). It will almost always be the last cert. All of the rest go in the -untrusted file (concat intermediate CA pems). Easiest way is check for Time Stamp signing with -purpose.
Convert the leaf certificate into pem format.
Read pem file in python as shown in the example code.
|
@brimston3 Does tsget exist in Ubuntu 18.04 anymore? Can't find it anywhere. |
It would be nice if the README or some other documentation explained what the certificate file should look like, and how to create it? I've tried to figure out which file to use for http://zeitstempel.dfn.de, without any luck so far. The content of https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt was rejected.
The text was updated successfully, but these errors were encountered: