search

eu-digital-green-certificates / dgc-overview

This repository provides an overview over the EU Digital Green Certificates (DGC) project.
Apache License 2.0
209 stars 29 forks source link

Howto Guide for each Certificate that needs to be created #24

Closed psavva closed 3 years ago

psavva commented 3 years ago

I am currently looking at all the certificates that we need to generate as based on the guide within this repo. Let us start with the CSCA using a Self Signed Root CA which we could create ourselves. I am having trouble to fill in all the gaps of how exactly the Root CA must be created, the NBcsca, etc...

Example of what i'm doing:

Generate the private key of the root CA: openssl genrsa -out rootCAKey.pem 4096

Generate the private key of the root CA: openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem -subj "/C=XX/ST=State/L=City/O=My Organization/OU=My Department/CN=My Root CA"

Create a NBcsca

openssl req -x509 -newkey rsa:4096 -keyout key_nbcsca.pem -out cert_nbcsca.pem -days 1460 -nodes -subj "/C=XX/ST=State/L=City/O=My Organization/OU=My Department/CN=XX DGC CSCA 1"

Export public key to Java Keystore keytool -importcert -alias dgci_nbcsca -file cert_nbcsca.pem -keystore nbcsca.jks -storepass somesecurekeystorepassword

I think I'm missing passwords in these steps above, which think is the problem...

As per the issuance service applciation.yaml specification:

issuance:
  dgciPrefix: dgci:V1:DE
  keyStoreFile: certs/test.jks
  keyStorePassword: dgca
  certAlias: edgc_dev_ec
  privateKeyPassword: dgca
  countryCode: DE

I need a keyStorePasswordwhich is specified above as somesecurekeystorepassword, however, i'm missing the privateKeyPassword

A full list of openssl commands to depict exact steps would be most helpful, better yet, a bash/sh script to accompany it would really help people get over the bumps and complexities on creating the certificates with the right specifications from the start, leading to a much smoother rollout for Europe.

daniel-eder commented 3 years ago

@SchulzeStTSI Do we have this documented already somewhere?

psavva commented 3 years ago

Hi,

As per the guide, please can steps be given for the following certificates:

Also please provide the commands to generate the PEM formats to send the certificates to the contact of the Test Operator.

I think it should be published here? https://github.com/eu-digital-green-certificates/dgc-participating-countries/blob/main/gateway/CertificatePreperation.md

Again, thank you very much and best regards Panayiotis Savva

SchulzeStTSI commented 3 years ago

@FayR-DTSEC or @dirkx can you help @psavva here?

psavva commented 3 years ago

Hi All,

A full document with instructions would be extremely helpful. Please can I ask if this can be prioritised.

We are planning to start UAT testing by the 17th, and really need to ensure our end-to-end process is working, which will require the certificates to be put in place.

Thank you and best regards Panayiotis Savva

psavva commented 3 years ago

Dear Team,

Please review these scripts, and assess if anything further must be fixed/enhanced to have a fully working set of scripts to generate the required certificates.

Please note that I am failing to validate my QR Code with my current stet of Certificates, you can also see an issue opened here: https://github.com/eu-digital-green-certificates/dgca-verifier-service/issues/31

@f11h as discussed on Slack, please find the scripts below.

CertificateGeneration.zip

psavva commented 3 years ago

I'm uploading my latest Scripts which works, and tested with the DSC Certificate :)

GenerateCertificates.zip

daniel-eder commented 3 years ago

Closing this for now - if new issues arise, please open a new issue.