From 56fbea7673317541704d713ffc5135da9fbd2635 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 10 Jul 2022 13:52:40 +0200
Subject: [PATCH] Complete description of class3 re-siging procedure

---
 .gitignore                 |  1 +
 README.md                  | 62 ++++++++++++++++++++++++++++++++++++--
 openssl-class3-resign.conf | 26 ++++++++++++++++
 3 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 openssl-class3-resign.conf

diff --git a/.gitignore b/.gitignore
index 85e7c1d..c98ab88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /.idea/
+/test-ca/
diff --git a/README.md b/README.md
index 4782256..ec3b0f2 100644
--- a/README.md
+++ b/README.md
@@ -124,15 +124,20 @@ The class 3 certificate must contain the following fields:
   `CA: true, patLenConstraint: 0; critical`
 
 - [Extended Key Usage](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12):
-  `server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
+ 
+  not set
+
+  *Note:* `server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
+  might be a good option, but might confuse at least some relying party applications
 
   *Note:* this will not be sufficient to fulfill the
   [Google requirements for S/MIME certificates](https://support.google.com/a/answer/7300887)
 
 - [CRL Distribution Points](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13):
-  http://crl.cacert.org/class3-revoke.crl
+  http://crl.cacert.org/revoke.crl
 
-  *Note:* CRL URLs must use the http URL scheme
+  *Note:* CRL URLs must use the http URL scheme, this must be the CRL issued
+  by the signing CA (in this case the Root CA)
 
 - [Authority Information Access](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1):
 
@@ -142,3 +147,54 @@ The class 3 certificate must contain the following fields:
   - OCSP: URI:http://ocsp.cacert.org/
 
   *Note:* CA issuers and OCSP URLs must use the http URL scheme
+
+# Re-Signing procedure
+
+According to https://wiki.cacert.org/SystemAdministration/Systems/Signer the signer is running a Debian 5.0 Lenny
+minimal system based operating system. The procedure documented here has therefore been tested using a Debian 5.0
+virtual machine.
+
+## Generate a CSR from the existing private key and certificate
+
+```shell
+export TZ=UTC
+openssl x509 -key class3.key.pem -x509toreq -in class3.crt.pem -out class3.csr.pem \
+  2>&1 | tee -a class3-signing-$(date +%Y%m%d).log
+```
+
+## Sign the new CA certificate with the openssl configuration file
+
+```shell
+TZ=UTC \
+openssl ca \
+  -config openssl-class3-resign.conf \  # use CA re-signing configuration
+  -extensions class3_ca_ext          \  # use class3 CA extension section
+  -in class3.csr.pem                 \  # use the CSR from the previous step
+  -startdate $(date +%y%m%d%H%M%SZ --date="today")  \  # use the current date
+  -enddate $(date +%y%m%d%H%M%SZ --date="today + 5 years 0:00")  # use 5 years later
+  -out class3.crt.pem                \  # output class3 certificate
+```
+
+## Post-signing changes on the signer
+
+Certificates signed by the new class3 CA certificate should contain links to the CRL, OCSP and DER CA certificate URLs
+of the new class3 certificate. It would be a good idea to decide and document these URLs in advance.
+
+The CA extension configurations for the different types of end entity certificates should be configured on the signer
+accordingly, i.e.
+
+```
+[client_ext]
+authorityKeyIdentifier = hash
+basicConstraints       = CA:FALSE
+keyUsage               = digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage       = emailProtection,clientAuth,msSGC,msEFS,nsSGC
+crlDistributionPoints  = URI:http://crl.cacert.org/class3-revoke.crl
+authorityInfoAccess    = caIssuers;URI:http://www.cacert.org/certs/CAcert_Class3Root_x14E228.der, OCSP;URI:http://ocsp.cacert.org
+```
+
+*Note*: it might be preferable to use a stable URL like http://www.cacert.org/certs/class3_ca.der instead of using a
+name containing the serial number. URLs that will cause redirects should be avoided, because some relying party
+applications may not follow redirects.
+
+The OCSP, CRL and CAIssuers URLs should use the http URL scheme.
diff --git a/openssl-class3-resign.conf b/openssl-class3-resign.conf
new file mode 100644
index 0000000..1ac1102
--- /dev/null
+++ b/openssl-class3-resign.conf
@@ -0,0 +1,26 @@
+# OpenSSL configuration for CAcert class3 CA certificate re-signing
+
+HOME = .
+RANDFILE = .rnd
+
+oid_section = new_oids
+
+[new_oids]
+
+[ca]
+default_ca = CA_root
+
+[CA_root]
+dir             = ./cacert/root
+certs           = $dir/certs
+crl_dir         = $dir/crl
+database        = $dir/index.txt
+new_certs_dir   = $dir/newcerts
+certificate     = $dir/ca.crt.pem
+serial          = $dir/serial
+crlnumber       = $dir/crlnumber
+crl             = $dir/crl.pem
+private_key     = $dir/private/ca.key.pem
+
+name_opt        = ca_default
+cert_opt        = ca_default
\ No newline at end of file