2

Are there some commonly used or standardized URI schemes or patterns that are used to identify SSL certificates, for example for description in linked data applications? The URI does not necessarily have to be resolvable, but it should be unique for a given certificate (and not something arbitrary).

For example, the fingerprint of the certificate used by stackoverflow.com is F4:AB:EB:33:1E:28:CC:EB:20:DA:7F:C1:8C:A9:55:90:C0:ED:1F:4E:63:F5:2B:63:7B:23:B9:BC:06:66:5E:64. A hypothetical example could be therefore something like urn:cert:thumbprint:F4ABEB331E28CCEB20DA7FC18CA95590C0ED1F4E63F52B637B23B9BC06665E64.

I have managed to find RFC 7512 that describes the pkcs11: scheme which has the serial attribute, but as far as I know, the serial does not have to be unique, only when coupled with the identifier of the certificate authority, but I don't think you can specify that in pkcs11:. I wasn't able to find anything else.

IS4
  • 11,945
  • 2
  • 47
  • 86

1 Answers1

2

It is my own case for establishing TLS to get URI (I'm using SafeNet eToken) issuing command:

p11tool --list-all-certs 'pkcs11:model=eToken'

The result looks like this (sensitive data is masked):

Object 0:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=01234567;token=AlexXXXXXXXXXXXXXXXX;id=%00%11%22%33%44%55%66%77;object=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;type=cert
Type: X.509 Certificate (RSA-2021)
Expires: Xxx Apr 01 01:23:45 2021
Label: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ID: 00:11:22:33:44:55:66:77

The URL

URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=01234567;token=AlexXXXXXXXXXXXXXXXX;id=%00%11%22%33%44%55%66%77;object=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;type=cert

is contains serial number of token itself serial=01234567 and id of object on token id=%00%11%22%33%44%55%66%77. Unique couple.

UPDATE

In your case serial is not the serial number of a certificate, it's a serial number of token on which object (certificate) is located. You are mismatching the terms.

Alexander
  • 1,232
  • 1
  • 15
  • 24
  • Thanks for the details! Do you know how would I use this command to load a certificate file, in a `.pem` format let's say? – IS4 Dec 27 '21 at 12:20
  • `.pem` assumes that you have a file. `PKCS#11` assumes that there are no files - only objects on token. – Alexander Dec 27 '21 at 12:26
  • We are talking about the same things? – Alexander Dec 27 '21 at 12:27
  • You tell me; I started this with an intention to produce an identifier from a certificate; I assumed it doesn't matter where it comes from. For example, if I run `p11tool --list-all-certs 'pkcs11:object=QuoVadis%20Root%20CA%202;type=cert'`, it finds [this one](https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisRootCA2-PEM/) which I can parse in other tools to retrieve something like "Key Identifier: 0x1A84 62BC 484C 3325 04D4 EED0 F603 C419 46D1 946B" and "Certificate Serial Number: 0x0509". – IS4 Dec 27 '21 at 12:47
  • Therefore I'd assume something like `pkcs11:serial=%05%09;id=%1A%84%62%BC%48%4C%33%25%04%D4%EE%D0%F6%03%C4%19%46%D1%94%6B;type=cert` would be a viable way to represent it, but I have two issues with that: p11tool shows `serial=1` for all certificates I find, so I am not sure if I use it correctly, and the `id` property seems to come from a particular extension (OID 2.5.29.14) which I am not confident all certificates have (and I don't know how globally unique that is either). – IS4 Dec 27 '21 at 12:49
  • I seem to have been mistaken about the `serial` property; it seems to come from the token, not from the certificate. I thought it would be `CKA_SERIAL_NUMBER`. – IS4 Dec 27 '21 at 13:23
  • My experience is limited to `OpenConnect`. Look for the [last invocation string](https://www.infradead.org/openconnect/connecting.html). – Alexander Dec 27 '21 at 13:54
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/240473/discussion-between-alexander-and-is4). – Alexander Dec 27 '21 at 13:55