This project provides generator for certificates and CRLs conforming to CA/Browser Forum S/MIME Baseline Requirements inspired by smbr-cert-factory project.
Certificates and CRLs will be generated using pure JavaScript jsrsasign PKI library.
Generator scripts requires Node.JS and /bin/sh.
Download the package from here. Then run following:
% unzip smbr-cert-generator-main.zip
% cd smbr-cert-generator-main
% cd data
% npm install jsrsasign jsrsasign-util
% sh ./makecert.sh
You can see generated certificates and CRLs in ../artifacts directory.
All of certificate and CRL parameters are defined as JSON in data directory. So you can modify and add them such as validity period, names, mail addresses or extensions. Here is a data/mailbox-validated_strict.json:
{
"version": 3,
"serial": {"hex": "7b2c41983c7f8e0f82fc8fb7b1aedde23882ad4c"},
"sigalg": "SHA256withRSA",
"issuer": {
"str": "/C=US/O=Foo Industries Limited/CN=Intermediate CA",
"array": [
[{"type": "C", "ds": "prn", "value": "US"}],
[{"type": "O", "ds": "utf8", "value": "Foo Industries Limited"}],
[{"type": "CN", "ds": "utf8", "value": "Intermediate CA"}]
]
},
"notbefore": "230419000000Z",
"notafter": "230718235959Z",
"subject": {
"str": "/CN=hanako.yamada@example.com/E=hanako.yamada@example.com",
"array": [
[{"type": "CN", "ds": "utf8", "value": "hanako.yamada@example.com"}],
[{"type": "E", "ds": "ia5", "value": "hanako.yamada@example.com"}]
]
},
"sbjpubkey": "testRSA2048.p8.pub",
"ext": [
{
"extname": "basicConstraints",
"critical": true
},
{
"extname": "keyUsage",
"critical": true,
"names": ["digitalSignature"]
},
{
"extname": "authorityKeyIdentifier",
"kid": "testRSA4096.p8.pub"
},
{
"extname": "subjectKeyIdentifier",
"kid": "testRSA2048.p8.pub"
},
{
"extname": "certificatePolicies",
"array": [{"policyoid": "smimeMailboxStrict"}]
},
{
"extname": "cRLDistributionPoints",
"array": [
{"dpname": {"full": [{"uri": "http://crl.ca.example.com/issuing_ca_crl.crl"}]}}
]
},
{
"extname": "authorityInfoAccess",
"array": [{"caissuer": "http://repository.ca.example.com/issuing_ca.der"}]
},
{
"extname": "extKeyUsage",
"array": ["emailProtection"]
},
{
"extname": "subjectAltName",
"array": [
{"rfc822": "hanako.yamada@example.com"},
{
"other": {
"oid": "smtpUTF8Mailbox",
"value": {"utf8str": {"str": "山田花子@example.com"}}
}
}
]
}
],
"cakey": "testRSA4096.p5p.prv"
}All of private key are defined in the IETF Internet-Draft Standard PKC Test Keys and their files are stored in data directory.
- testECCP256.p5p.prv: PKCS#1 PEM EC P-256 curve private key (Root CA)
- testECCP256.p8.pub: PKCS#8 PEM EC P-256 curve public key
- testRSA4096.p5p.prv: PKCS#1 PEM RSA 4096bit private key (Intermediate CA)
- testRSA4096.p8.pub: PKCS#8 PEM RSA 4096 public key
- testRSA2048.p5p.prv: PKCS#1 PEM RSA 2048bit private key (End Entity)
- testRSA2048.p8.pub: PKCS#8 PEM RSA 2048bit public key
Public key files are generated from them by openssl command.
% openssl rsa -in testRSA4096.p5p.prv -pubout -out testRSA4096.p8.pub
% openssl ec -in testP256.p5p.prv -pubout -out testP256.p8.pub
classDiagram
direction LR
class RootCA {
CN=Root CA, O=Foo Industries Limited, C=US
key=testECCP256
}
class IssuingCA {
CN=Intermediate CA, O=Foo Industries Limited, C=US
key=testRSA4096
}
class EndEntities {
key=testRSA2048
}
RootCA --|> IssuingCA
IssuingCA --|> EndEntities
Difference among S/MIME BR sample certificate fields is shown in the following table:
| Field | Mailbox | Organization | Sponsored | Individual | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Strict | Multi | Legacy | Strict | Multi | Legacy | Strict | Multi | Legacy | Strict | Multi | Legacy | |
| Subject E | o | o | o | o | o | o | o | o | o | o | o | o |
| Subject CN | - | - | - | fullname | fullname | fullname | fullname | fullname | fullname | |||
| Subject SN | - | - | - | - | - | - | o | o | o | o | o | - |
| Subject GN | - | - | - | - | - | - | o | o | o | o | o | - |
| Subject O | - | - | - | o | o | o | o | o | o | - | - | - |
| Subject organizationIdentifier | - | - | - | o | o | o | o | o | o | - | - | - |
| Subject Other(DC) | - | - | - | - | - | o | - | - | o | - | - | o |
| Certificate Policies | specific | specific | specific | specific | specific | specific | specific | specific | specific | specific | specific | specific |
| EKU emailProtection | o | o | o | o | o | o | o | o | o | o | o | o |
| EKU clientAuth | - | o | o | - | o | o | - | o | o | - | o | o |
| CRLDistributionPoints HTTP | o | o | o | o | o | o | o | o | o | o | o | o |
| CRLDistributionPoints LDAP | - | - | o | - | - | o | - | - | o | - | - | o |
| SAN RFC822 | o | o | o | o | o | o | o | o | o | o | o | o |
| SAN Other smtpUTF8Mbox | o | o | o | o | o | o | o | o | o | o | o | o |
| SAN Other UPN | - | o | o | - | - | o | - | o | o | - | o | o |
| SAN DN CN | - | - | - | - | - | - | fullname | fullname | fullname | fullname | fullname | fullname |
| SAN DN SN | - | - | - | - | - | - | o | o | o | o | o | - |
| SAN DN GN | - | - | - | - | - | - | o | o | o | o | o | - |
| SAN DN O | - | - | - | o | o | o | o | o | o | - | - | - |
| SAN DN organizationIdentifier | - | - | - | o | o | o | o | o | o | - | - | - |
| LEI | - | - | - | - | - | - | o | o | o | - | - | - |
| Role | - | - | - | - | - | - | o | o | o | - | - | - |
| SubjectDirectoryAttributes | - | - | o | - | - | o | - | - | o | - | - | o |
| Root CA | Intermediate CA |
|---|---|
| view | view |
| Strict | Multi Purpose | Legacy | |
|---|---|---|---|
| Mailbox | view | view | view |
| Organization | view | view | view |
| Sponsored | view | view | view |
| Individual | view | view | view |
- longer validity period in certs and CRLs (rootCA, interediateCA: 11yrs, legacy:1185days, strict,multi:825days) from Apr 1, 2023.
- add missing {mailbox,organization,sponsored}-validated_legacy certificates
- Current jsrsasign can only handle LEI and Role extension in primitive way. This needs jsrsasign update.