Week 12: Building x.509 Certificates
Another week of work on my password manager has gone by and I’ve been making solid progress. One day soon I’ll get around to discussing more about my password manager and cover more of the book but for now I have more boring code examples to share. This week I want (loose term) to talk about x.509 certificates.
x.509
x.509 is a standard that defines the format of public key certificates. You often see these certificates in the form of SSL certificates such as those provided by letsencrypt. Today, I’d like to demonstrate how one can write code to act like their very own CA (Certificate Authority). I will not proclaim to be an expert on certificates or being a CA or anything of the like but what I can profess is how one might get started signing certificates like a CA.
A quick word here: I am not showing any methods to demonstrate ownership of a domain, a vital part of being a responsible CA, but I will show you how to sign a certificate once you can verify ownership. It is important to verify ownership otherwise you can be the reason why a client is compromised with a falsified certificate.
The library I usually use when generating these certificates is BouncyCastle. It’s a well known cryptographic library that has tons of different utilities and features. For these examples I’ll assume you have a root certificate and root private key already generated with something like openssl . These files will be root.cer and root.key respectively.
I left comments in the code to show what each line or section of lines is trying to do. Like I said, it’s not perfect or ideal but it should get the job done for you.
Closing Remarks
This isn’t my favorite post by any means but I honestly didn’t get much done this week. I won’t make any excuses but it has been a busy week.
See ya next week.
