Create self-signed StirShaken Certificates for unit testing

README.md

Guide for creating self-signed StirShaken Certificates for unit testing

NOTE: Taken from https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates/

Table of Contents

• Guide for creating self-signed StirShaken Certificates
  • Table of Contents
  • Become a Certificate Authority (CA)
    • Make a CA work directory
    • Generate a CA private key
    • Generate a CA self-signed certificate
  • Issue a certificate for a StirShaken Service Provider (SP)
    • Make an SP work directory
    • Generate an SP private key
    • Generate an openssl.conf file
      • Create TNAuthList.conf file
      • Convert TNAuthList.conf to der format
      • Create openssl.conf file
      • Append the TNAuthList extension
        • Unix Notes
    • Generate a certificate signing request (CSR)
    • Use our CA to accept the CSR and issue a certificate
      • Create an expired cert
    • Verify the certificate

Become a Certificate Authority (CA)

Create a cert to act as our CA.

Make a CA work directory

mkdir certificate-authority
cd certificate-authority

Generate a CA private key

openssl ecparam -noout -name prime256v1 \
    -genkey -out ca-key.pem

Generate a CA self-signed certificate

Note: Good for 100 years!

openssl req -new -x509 -days 36500 \
    -key ca-key.pem -subj "/CN=stir-shaken-ca" \
    -out ca-cert.pem

We're now a functioning Cert Authority!

Issue a certificate for a StirShaken Service Provider (SP)

Make an SP work directory

mkdir service-provider
cd service-provider

Generate an SP private key

openssl ecparam -noout -name prime256v1 \
    -genkey -out sp-key.pem

Generate an openssl.conf file

Here is where STIR/SHAKEN comes into play, with its TNAuthList extension (1.3.6.1.5.5.7.1.26) to the X.509 certificate which we must include, otherwise the certificate is likely to be rejected by most STIR/SHAKEN software out there.

The steps below create the openssl.conf file and append the extension.

Create TNAuthList.conf file

cat > TNAuthList.conf << EOF
asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:1001
EOF

Convert TNAuthList.conf to der format

openssl asn1parse -genconf TNAuthList.conf -out TNAuthList.der

Create openssl.conf file

cat > openssl.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
commonName = "SHAKEN"
[ v3_req ]
EOF

Append the TNAuthList extension

od -An -t x1 TNAuthList.der | awk NF |sed -e 's/ /:/g' -e 's/^/1.3.6.1.5.5.7.1.26=DER/' >> openssl.conf

Unix Notes

od is a utility that dumps files in octal and other formats. awk NF removes blank lines. sed replaces spaces with colons and appends the OID, which is the StirShaken extension.

Generate a certificate signing request (CSR)

openssl req -new -nodes -key sp-key.pem -keyform PEM \
    -subj '/C=US/ST=CO/L=Denver/O=DummyCompany Inc./OU=VOIP/CN=SHAKEN' \
    -sha256 -config openssl.conf \
    -out sp-csr.pem

Use our CA to accept the CSR and issue a certificate

Again, valid for 100 years.

openssl x509 -req -in sp-csr.pem \
  -CA ../certificate-authority/ca-cert.pem -CAkey ../certificate-authority/ca-key.pem -CAcreateserial \
  -days 36500 -sha256 -extfile openssl.conf -extensions v3_req -out sp-cert.pem

Create an expired cert

Note: Will have to wait 24 hours after creation to test expiration logic.

openssl x509 -req -in sp-csr.pem \
  -CA ../certificate-authority/ca-cert.pem -CAkey ../certificate-authority/ca-key.pem -CAcreateserial \
  -days 1 -sha256 -extfile openssl.conf -extensions v3_req -out sp-cert-expired.pem

Verify the certificate

openssl x509 -in sp-cert.pem -text -noout