Browsers are starting to enforce Certificate Transparency (CT).
Below is a sample of CT Precertificate SCTs, which is required for CT.
It includes a new certificate extension with an OID of
1.3.6.1.4.1.11129.2.4.2.
How do we use `openssl req` and a CONF file to add the information
(assuming we already have the certified timestamps)?
*
$ openssl s_client -connect embed.ct.digicert.com:443 -tls1
-servername embed.ct.digicert.com | \
openssl x509 -text -noout
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e0:aa:80:19:13:06:8a:28:73:f0:24:29:3e:e4:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Validity
Not Before: Nov 13 00:00:00 2014 GMT
Not After : Nov 18 12:00:00 2015 GMT
Subject: C=US, ST=Utah, L=Lehi, O=DigiCert, Inc.,
CN=embed.ct.digicert.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:64:73:61:53:66:b8:aa:80:c7:cc:53:67:6a:
df:da:a9:b1:6a:c5:53:63:55:5f:14:4c:b3:27:d1:
3c:e4:0a:1a:e7:16:48:bc:15:46:7e:63:e8:27:3c:
c5:28:bd:79:cf:34:d5:9a:67:1e:0c:27:6e:ec:00:
5e:69:38:5b:a7:16:4f:b9:09:ec:fc:7e:f2:41:b7:
f9:54:f4:6c:c3:22:a6:f5:99:f4:be:9d:64:26:75:
9e:b2:b9:16:d7:f5:51:9f:53:ce:74:ca:d6:d6:7a:
4a:d4:4d:0e:4d:73:93:30:3c:b9:b8:1d:a0:d8:94:
8c:59:7e:82:a4:4c:82:fc:c3:73:7f:b1:56:28:4e:
b5:f7:73:53:ac:7b:30:a4:bc:b9:6c:c0:b6:67:0d:
19:5e:40:22:11:11:8c:6d:3a:87:47:08:e6:5c:7b:
17:7c:64:7a:a1:ff:8c:7c:37:b6:b7:91:2c:c2:90:
7e:cc:48:1f:57:1e:f9:db:d4:ac:cf:d9:2b:60:ff:
13:2d:88:c5:7e:d8:eb:ec:ed:85:d7:9e:f9:56:32:
ca:c1:6b:24:64:9f:63:ba:83:ee:a1:85:4a:e3:ad:
45:8c:92:95:3a:e0:80:91:9b:60:b5:75:88:86:4e:
0f:81:8c:b5:f4:77:fd:e5:f3:36:f6:33:d6:2b:a0:
c4:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
X509v3 Subject Key Identifier:
88:4F:83:16:87:AD:AE:1E:FF:04:4A:79:66:92:C6:9F:62:69:4F:B1
X509v3 Subject Alternative Name:
DNS:embed.ct.digicert.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ssca-sha2-g3.crl
Full Name:
URI:http://crl4.digicert.com/ssca-sha2-g3.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers -
URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID: A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Nov 13 16:57:03.632 2014 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:06:14:6A:E3:6D:0F:84:5D:6A:98:E7:29:
94:80:8B:F2:A4:23:85:68:4E:F9:BC:50:7C:FF:7B:94:
EB:20:54:82:02:21:00:91:63:83:FD:F6:31:5E:38:08:
AF:A7:5E:00:B7:0B:9B:1F:8B:FD:4D:7E:49:3C:43:E6:
64:E5:4B:F9:60:D7:89
Signed Certificate Timestamp:
Version : v1(0)
Log ID: 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC:
71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4
Timestamp : Nov 13 16:57:03.619 2014 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:61:4F:69:89:80:6A:62:2D:8E:A2:D0:24:
A5:E2:1D:74:67:51:77:C1:9B:DE:99:DE:16:56:2B:02:
