Tuesday, April 21, 2009

roll your own EV

In working on a project recently, I found myself wanting to become an EV-SSL certificate authority (EV means Extended Validation). Lofty goals, yes, but really I just wanted to play with EV certificates and see if a couple of things were feasible. I'll post what happens as I figure it out.

Anyway, I needed to find a way to get a browser to accept a root CA that I created, and then get the browser to trust that root CA to issue EV certificates. This is harder than it sounds; regular SSL root certificates can be added easily to any browser, but the EV root certs can't. This is to protect users from accidental or malicious installation of EV root certs -- but unfortunately also protected me from easily doing it too.

Turns out, Firefox will let you "test" some CA certs as EV authorities, but you have to get your hands on a debugging build. Not only that, but unless you want to maintain a fresh CRL or OCSP server, you'll have to modify the source code. Sounds daunting, but it really isn't too bad. I've documented the whole process here, and I'll summarize in this blog post.

1. Create an EV-SSL Certificate Authority, and make an EV cert. This sounds fancy, but basically means: create a certificate authority, then issue a cert with a specific policy OID. The differences between regular CAs and EV CAs are minimal except in how the browser decides to classify them. In short, this should do the trick:
./CA.pl -newca

openssl req -config ./openssl.cnf -new -keyout newkey.pem \
-out newreq.pem -days 30

openssl ca -config ./openssl.cnf -policy policy_anything \
-out newcert.pem -infiles newreq.pem
Details here.

2. Tame Firefox. This involves patching the Firefox source code to perform lazy freshness checks on certificates (and there's a patch for that here), and set it up to accept externally defined EV root authorities (you will list them in a text file). Then you must compile the source in debug mode to enable it. Details here.

3. Install your CA and go. You have to extract the base-64 encoded subject and serial number out of your CA certificate by installing this patch, compiling the NSS tools, and running the pp tool on your root certificate. Once you've got that data, put it, the EV policy OID of your choice, and the CA cert fingerprint in a file called "test_ev_roots.txt". That text file goes in your Firefox profile directory. Once that's set up, you run Firefox, install the root CA as a regular SSL trusted authority, and you're ready to go. Details here.

Summary. It's not impossible to install a root certificate and get Firefox to consider it an EV root, but it is surely difficult (and this is good). The instructions presented in this post are simply summary, and not indended to be details, which can be found here.

Edit: I guess I should explain that EV means Extended validation; basically a more thorough check is performed by a certificate authority before issuing an EV certificate [EV on wikipedia]


Unknown said...

I'm sure this is common knowledge in your field, but what is EV?

Sid Stamm said...

@btornado: hah, yeah, I should probably clarify that, thanks. (See edit.)

Ted Mielczarek said...

I filed a bug on figuring out a way to add EV tests to our mochitest suite a while back:

Anonymous said...

Can you provide a link to a patched firefox?

Sid Stamm said...

@Anonymous: no, I won't post a patched build of Firefox. You have to patch it and compile it with your own CA and OID details anyway, so unless I post my custom CA's private key and cert along with the patch it is useless.

I also am of the opinion that if you want to play with fire, you should know how fire works. :)

Anonymous said...

I understand your reasoning, but all of the makefiles that I get, have no target for nss_build_all so is there a way I can add that?

Anonymous said...

I know that this article is a little old, but may I ask what version of Firefox you used?

Sid Stamm said...

@Anonymous: It's still there (see http://mxr.mozilla.org/mozilla-central/source/security/nss/Makefile#81). I tried it today and it worked.

With mozilla-central checked out, you have to change to the security/nss/ subdirectory and issue the make command there.

@dsage: I think this was 3.0.17. Should still work in 3.6 or trunk builds today since NSS hasn't changed a whole lot.

Sid Stamm said...

@dsage: I take that back, it was probably a pre-release 3.5 build since I was working on mozilla-central in April 2009.

Anonymous said...

Since I don't have the CA.pl or the batch file, I'm wondering if the basicConstraints,keyUsage, and OID fields are required for the CA to then make the EV. I already have a CA cert at https://podaci.co.uk/root.crt without those properties and am wondering if I will have to create a new one and re-issue the current certs in order to use it to make an EV intermediary CA.

Unknown said...

I'm receiving an error when trying to use the openssl-ca utility to create the request and sign the certificate (OpenSSL 1.1.1-pre3-dev): https://gist.github.com/h1nk/aa8531930e0f8b0f5d880c1a391fd484