-------------------------------------------------------------------------------- File: ChainCreationInstructions.txt Description: This folder contains INI files that are required to generate the following test cert chains. Certs will be copied onto the file system AND MY store when they are generated by certreq.exe. Note that typically certreq.exe operates on INF files, but in this folder we use INI files so that our build system does not complain about INF's being in the tree, but not in the CryptoPkg.dsc file. To create your own certificates and signatures for testing, this file demonstrates how the test certificate chains and signatures were created. To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in your path). You can then use your favorite BinaryToHex converter to convert the binary into a byte array that you can include in unit tests. Copyright (C) Microsoft Corporation. All Rights Reserved. -------------------------------------------------------------------------------- Cert Chain: ------------------------------------------ | | // Root of trust. ECDSA P521 curve | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE ------------------------------------------ ^ | ------------------------------------------ | | // Issues subordinate CAs. ECC P384 curve. | TestEKUParsingPolicyCA | // SHA 256 Key Usage: | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE ------------------------------------------ ^ | ------------------------------------------ | | // Issues end-entity (leaf) signers. ECC P256 curve. | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE | | // Enhanced Key Usage: ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) ^ | -------------------------------------- / / // Leaf signer, ECC P256 curve. / TestEKUParsingLeafSigner / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE / / // Enhanced Key usages: -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing) // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID. --------------------------------------------------------------------------------- --- files required --- TestEKUParsingRoot.ini - This certificate is the root CA under which all CAs live. TestEKUParsingPolicyCA.ini - This policy CA will issue subordinate CA's with EKU constraints. TestEKUParsingIssuingCA.ini - CA to issue end-entity leafs. TestEKUParsingLeafSigner.ini - End-Entity leaf signer. TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345. TestEKUParsingNoEKUsInSigner.ini - Leaf with no EKU's specified. TestEKUParsingLeafSignerPid1.ini - Test with naming files ini, to get around build complaints. --- Commands to execute --- certreq.exe -new TestEKUParsingRoot.ini TestEKUParsingRoot.cer certreq.exe -new -q -cert "TestEKUParsingRoot" TestEKUParsingPolicyCA.ini TestEKUParsingPolicyCA.cer certreq.exe -new -q -cert "TestEKUParsingPolicyCA" TestEKUParsingIssuingCA.ini TestEKUParsingIssuingCA.cer certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini TestEKUParsingLeafSigner.cer certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini TestEKUParsingNoEKUsInSigner.cer certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini TestEKUParsingLeafSignerPid1.cer --------------------------------------------------------------------------------- Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below. Note: You should see a little key on the top left of each cert icon, which means you have the private key for this cert. If you don't see it something is wrong. For each cert, right-click and do all tasks, export. Yes, Export the private key. PCKS#12 format, include all certs in path if possible. If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has an Export-PfxCertificate command. Passwords: TestEKUParsingRoot.pfx == TestEKUParsingRoot TestEKUParsingPolicyCA.pfx == TestEKUParsingPolicyCA TestEKUParsingIssuingCA.pfx == TestEKUParsingIssuingCA TestEKUParsingLeafSigner.pfx == TestEKUParsingLeafSigner TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345 TestEKUParsingNoEKUsInSigner.pfx == TestEKUParsingNoEKUsInSigner