From 7155a4e027f1dba64486761cbd2f85e6f57262b0 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 7 Aug 2024 13:03:08 +0530 Subject: [PATCH 01/39] Update README_NEW.md updated DSC part. --- README_NEW.md | 49 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index c19be0f43..a4fd5ae1c 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -114,13 +114,16 @@ This repository contains the template for building [onboarding](https://github.c **Certificate Preperation** > Disclaimer: The script generates self-signed certificates not intended to be used on production environments. - You must adapt the following default certificate parameter in gen_all_certs.sh to your needs: + You must adapt the following default certificate parameter of [DN_template.cnf(https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf)] file which will used in gen_all_certs.sh to your needs: ``` - export OSSL_COUNTRY_NAME="XA" + # Configuration Template for Certificate Generation + # Modify for your own needs + + export OSSL_COUNTRY_NAME="XC" export OSSL_STATE_NAME="Test State" - export OSSL_LOCALITY_NAME="Geneva" + export OSSL_LOCALITY_NAME="TEST" export OSSL_ORGANIZATION_NAME="WHO" - export OSSL_ORGANIZATIONAL_UNIT_NAME="R&D" + export OSSL_ORGANIZATIONAL_UNIT_NAME="RND" ``` > Note: OSSL_COUNTRY_NAME should be ISO 2 letter name of the country mapped to the name used in repository. @@ -531,4 +534,40 @@ Please be aware that RSA is NOT RECOMMENDED for the DSC and if you want to use R 8. Send an onboarding/participation request to gdhcn-support@who.int which contains: - URL of the private repository created as a prerequisite - The GPG key exported in Step 4 - + +Once Oboarding is sucessful confirmation by GHDCN Support Team + +After onboarding in the DEV/UAT/Pro Environment, check the connectivity with the Trust Network Gateway using its API. This can be acheived with following command: + +curl -v https://tng-uat.who.int/trustList --cert TLS.pem --key TLS_key.pem +You should see a output like: + +``` +[ +{ + "kid": "+jrpHSqdqZY=", + "timestamp": "2023-05-25T07:55:21Z", + "country": "XC", + "certificateType": "UPLOAD", + "thumbprint": "fa3ae91d...", + "signature": "MIAGCSqGSIb3D...", + "rawData": "MIIErTCCA5WgAwIBAgII..." +} +] +``` +4) Test the other Trustlist Routes in the same style (e.g. with DSC/SCA/Upload/Authentication…) +5) Create an Document Signer Certificate and sign it by the SCA +6) Create an CMS Package with the following Command: + + openssl x509 -outform der -in cert.pem -out cert.der + openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary + openssl base64 -in signed.der -out cms.b64 -e -A +Note: cert.der is your DSC, signing.crt is the TNPUP) + +7) Upload the CMS Package to the Gateway +curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-uat.who.int/signerCertificate +8) Download the Trustlist again, and check if your DSC is available. + +Note: Some versions of curl don’t attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/): + + From df47b99a8f01d87304441294ddefa63254c1119e Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 7 Aug 2024 13:05:35 +0530 Subject: [PATCH 02/39] Update README_NEW.md Added DN_template.cnf file parameters section --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index a4fd5ae1c..146e5f97a 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -114,7 +114,7 @@ This repository contains the template for building [onboarding](https://github.c **Certificate Preperation** > Disclaimer: The script generates self-signed certificates not intended to be used on production environments. - You must adapt the following default certificate parameter of [DN_template.cnf(https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf)] file which will used in gen_all_certs.sh to your needs: + You must adapt the following default certificate parameter of [DN_template.cnf](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf) file which will used in gen_all_certs.sh to your needs: ``` # Configuration Template for Certificate Generation # Modify for your own needs From e030b1aebdf4528e170df14c32049a54cd99cad3 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 7 Aug 2024 17:18:27 +0530 Subject: [PATCH 03/39] Update README_NEW.md --- README_NEW.md | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 146e5f97a..49f41340f 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -535,11 +535,19 @@ Please be aware that RSA is NOT RECOMMENDED for the DSC and if you want to use R - URL of the private repository created as a prerequisite - The GPG key exported in Step 4 -Once Oboarding is sucessful confirmation by GHDCN Support Team +Once you recieve confirmation on sucesfull onboarding from TNG Support Team ( gdhcn-support@who.int) After onboarding in the DEV/UAT/Pro Environment, check the connectivity with the Trust Network Gateway using its API. This can be acheived with following command: +TNG-WHO Endpoints: +- PRD: https://tng.who.int +- UAT: https://tng-uat.who.int +- DEV: https://tng-dev.who.int + + +``` curl -v https://tng-uat.who.int/trustList --cert TLS.pem --key TLS_key.pem +``` You should see a output like: ``` @@ -559,14 +567,25 @@ You should see a output like: 5) Create an Document Signer Certificate and sign it by the SCA 6) Create an CMS Package with the following Command: - openssl x509 -outform der -in cert.pem -out cert.der - openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary - openssl base64 -in signed.der -out cms.b64 -e -A -Note: cert.der is your DSC, signing.crt is the TNPUP) +``` +openssl x509 -outform der -in cert.pem -out cert.der +openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary +openssl base64 -in signed.der -out cms.b64 -e -A +``` +**Note**: cert.der is your DSC, signing.crt is the TNPUP) -7) Upload the CMS Package to the Gateway +7) Check DSC is already exist before upload CMS package +``` +curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key +``` +9) Upload the CMS Package to the Gateway +``` curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-uat.who.int/signerCertificate -8) Download the Trustlist again, and check if your DSC is available. +``` +11) Download the Trustlist again, and check if your DSC is available. +``` +curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key +``` Note: Some versions of curl don’t attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/): From 5e483503dc45c362317836e806cae3a830855e61 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:36:17 +0530 Subject: [PATCH 04/39] Update README_NEW.md --- README_NEW.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 49f41340f..4e8779bc3 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -546,7 +546,7 @@ TNG-WHO Endpoints: ``` -curl -v https://tng-uat.who.int/trustList --cert TLS.pem --key TLS_key.pem +curl -v https://tng-dev.who.int/trustList --cert TLS.pem --key TLS_key.pem ``` You should see a output like: @@ -580,7 +580,7 @@ curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key ``` 9) Upload the CMS Package to the Gateway ``` -curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-uat.who.int/signerCertificate +curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-dev.who.int/signerCertificate ``` 11) Download the Trustlist again, and check if your DSC is available. ``` From 9f266ae914c320c166ab673fbcd3af850a36bff1 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 12 Aug 2024 13:38:27 +0530 Subject: [PATCH 05/39] Update README_NEW.md --- README_NEW.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index 4e8779bc3..6d05778ca 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -589,4 +589,11 @@ curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key Note: Some versions of curl don’t attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/): + +The DSC generation and upload CMS package could be achieved the script as well . + +[Generate DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#generate-dscs) + +[Upload DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#upload-dscs0) + From 7b95db4caf4a5f5d13ccde44638f01b7f12f9580 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 12 Aug 2024 14:26:05 +0530 Subject: [PATCH 06/39] Update README_NEW.md --- README_NEW.md | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 6d05778ca..02813ae3b 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -571,8 +571,30 @@ You should see a output like: openssl x509 -outform der -in cert.pem -out cert.der openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary openssl base64 -in signed.der -out cms.b64 -e -A + ``` -**Note**: cert.der is your DSC, signing.crt is the TNPUP) +**Note**: cert.der is your DSC, signing.crt is the TNPUP. + +The DSC generation and upload of CMS package to TNG Gateway could be achieved through the below mentioned scripts. +For DEV and UAT environments you may use script. + +[Generate DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#generate-dscs) + +[Upload DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#upload-dscs0) + +The Distinguised Nmae ( DN) configuration file while will parse as source [DN_template.cnf](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf) is an example. + +Please replace with your actual OSSL_COUNTRY_NAME, OSSL_STATE_NAME etc parameters accordingly of DN_template.cnf file. + +The script expects at least two arguments: +A configuration file (DN_template.cnf) that contains the Distinguished Name (DN) template. +A subdirectory where the SCA (Signing Certificate Authority) PEM and KEY files are located. +An optional third argument can be provided to specify the purpose of the DSC (e.g., test, vax, rec). If this argument is not provided, the DSC will be generated for all purposes. + +Howto run script : ./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} + + + 7) Check DSC is already exist before upload CMS package ``` @@ -581,6 +603,7 @@ curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key 9) Upload the CMS Package to the Gateway ``` curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-dev.who.int/signerCertificate + ``` 11) Download the Trustlist again, and check if your DSC is available. ``` @@ -590,10 +613,6 @@ curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key Note: Some versions of curl don’t attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/): -The DSC generation and upload CMS package could be achieved the script as well . - -[Generate DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#generate-dscs) -[Upload DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#upload-dscs0) From e5f795349ecacf56cded7866e8d4372215549938 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:36:36 +0530 Subject: [PATCH 07/39] Update README_NEW.md --- README_NEW.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 02813ae3b..59494f964 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -566,7 +566,9 @@ You should see a output like: 4) Test the other Trustlist Routes in the same style (e.g. with DSC/SCA/Upload/Authentication…) 5) Create an Document Signer Certificate and sign it by the SCA 6) Create an CMS Package with the following Command: + Note: Step 4 and 5 could be achived through two menthod commandline and script respectively . +**Method 1 - Commandline .** ``` openssl x509 -outform der -in cert.pem -out cert.der openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary @@ -575,6 +577,8 @@ openssl base64 -in signed.der -out cms.b64 -e -A ``` **Note**: cert.der is your DSC, signing.crt is the TNPUP. +**Method 2 - Scripts** + The DSC generation and upload of CMS package to TNG Gateway could be achieved through the below mentioned scripts. For DEV and UAT environments you may use script. @@ -594,8 +598,6 @@ An optional third argument can be provided to specify the purpose of the DSC (e. Howto run script : ./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} - - 7) Check DSC is already exist before upload CMS package ``` curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key From 69657790c24aab0cb76f5e25075d21bce96eded8 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:46:44 +0530 Subject: [PATCH 08/39] Update README_NEW.md --- README_NEW.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 59494f964..1c22fa44c 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -595,8 +595,10 @@ A configuration file (DN_template.cnf) that contains the Distinguished Name (DN) A subdirectory where the SCA (Signing Certificate Authority) PEM and KEY files are located. An optional third argument can be provided to specify the purpose of the DSC (e.g., test, vax, rec). If this argument is not provided, the DSC will be generated for all purposes. -Howto run script : ./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} - +Howto run script : +``` +./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} +``` 7) Check DSC is already exist before upload CMS package ``` From db01c20d6f131a4242d1693c5b8ea4d0243d04b6 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:53:48 +0530 Subject: [PATCH 09/39] Update README_NEW.md --- README_NEW.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 1c22fa44c..8992078a2 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -595,9 +595,11 @@ A configuration file (DN_template.cnf) that contains the Distinguished Name (DN) A subdirectory where the SCA (Signing Certificate Authority) PEM and KEY files are located. An optional third argument can be provided to specify the purpose of the DSC (e.g., test, vax, rec). If this argument is not provided, the DSC will be generated for all purposes. -Howto run script : +Howto to run DSC Generate Script [gen_dsh.sh](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/gen_dsc.sh) + ``` ./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} + ``` 7) Check DSC is already exist before upload CMS package From 08f04ba612f340c5e55d4f8fd1a7f56b085d4e3d Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 13 Aug 2024 12:03:13 +0530 Subject: [PATCH 10/39] Update README_NEW.md --- README_NEW.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 8992078a2..f1eae9dca 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -595,12 +595,24 @@ A configuration file (DN_template.cnf) that contains the Distinguished Name (DN) A subdirectory where the SCA (Signing Certificate Authority) PEM and KEY files are located. An optional third argument can be provided to specify the purpose of the DSC (e.g., test, vax, rec). If this argument is not provided, the DSC will be generated for all purposes. -Howto to run DSC Generate Script [gen_dsh.sh](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/gen_dsc.sh) +**Howto to run DSC Generate Script** [gen_dsh.sh](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/gen_dsc.sh) ``` ./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose} -``` +``` +**How to run upload.sh script:** + +./upload_dsc.sh: Replace this with the actual name of your script. + +/path/to/subdir: Path to the directory containing UP.pem and UP.key. + +/path/to/DSC_dir: Path to the directory containing the DSC files (DSC.pem, DSC.key). + +DCC: The domain name to be used. If omitted, the script will default to DCC. +``` +./upload_dsc.sh /path/to/subdir-up_pem_key /path/to/DSC_dir [DCC] +``` 7) Check DSC is already exist before upload CMS package ``` From b4af4f89cb305a38bc4ae52291d0b663cb19b4fe Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 21 Aug 2024 13:14:33 +0530 Subject: [PATCH 11/39] Update README_NEW.md --- README_NEW.md | 141 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index f1eae9dca..c3b16810c 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -633,4 +633,145 @@ Note: Some versions of curl don’t attach the client certificates automatically + + + +======================================================================= +# Certificate Renewal Procedures + +======================================================================= + +## 1. **Renewing TLS Certificates** + +### For Production Environment: +1. **Create TLS Configuration File (`TLSClient.conf`):** + + ```plaintext + [req] + prompt = no + default_md = sha256 + distinguished_name = dn + + [dn] + C = DE + ST = NRW + L = Bonn + O = MinistryOfTest + OU = DGCOperations + CN = NationX_TNP_TLS + + [ext] + keyUsage = critical, digitalSignature, keyCertSign + extendedKeyUsage = clientAuth + ``` + +2. **Generate New Private Key and Certificate:** + + ```bash + openssl req -x509 -new -days 365 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout TNP_TLS.key -nodes -out TNP_TLS.pem -config TLSClient.conf + ``` + +## 2. **Renewing UP (Upload Certificates)** + +### For Production Environment: +1. **Create UP Configuration File (`uploadCert.conf`):** + + ```plaintext + [req] + prompt = no + default_md = sha256 + distinguished_name = dn + + [dn] + C = DE + ST = NRW + L = Bonn + O = MinistryOfTest + OU = DGCOperations + CN = NationX_TNPUP + + [ext] + keyUsage = critical, digitalSignature + ``` + +2. **Generate New Private Key and Certificate:** + + ```bash + openssl req -x509 -new -days 365 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout TNP_UP.key -nodes -out TNP_UP.pem -config uploadCert.conf + ``` + +## 3. **Renewing SCA (Signing Certificate Authority)** + +### For Production Environment: +1. **Create SCA Configuration File (`sca.conf`):** + + ```plaintext + [req] + prompt = no + default_md = sha256 + distinguished_name = dn + + [dn] + C = DE + ST = NRW + L = Bonn + O = MinistryOfTest + OU = DGCOperations + CN = SCA_DGC_DE_01 + + [ext] + basicConstraints = critical, CA:TRUE, pathlen:0 + keyUsage = critical, cRLSign, keyCertSign + subjectKeyIdentifier = hash + ``` + +2. **Generate New Private Key and Certificate:** + + ```bash + openssl req -x509 -new -days 1461 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout CAprivkey.key -nodes -out CAcert.pem -config sca.conf + ``` + +## General Notes: +- Make sure to replace configuration file details with your specific information. +- Ensure to back up any existing certificates before renewing. +- Verify and update any configurations or deployment settings to use the new certificates. +- Self-signed certificates are generally used for DEV and UAT environments. For production, use certificates signed by a recognized CA. + +## Git Commit and Tag Push + +### General Steps for Committing and Tagging Renewed Certificates: + +1. **Add the renewed certificate to Git:** + + ```bash + git add path/to/renewed-certificate.pem + ``` + +2. **Commit the changes:** + + ```bash + git commit -m "Add renewed certificate" + ``` + +3. **Push the changes to the main branch:** + + ```bash + git push origin main + ``` + +4. **Tag the commit with an appropriate version:** + + ```bash + git tag -a v1.3 -m "Renewed certificate" + ``` + +5. **Push the tag to the remote repository:** + + ```bash + git push origin v1.3 + ``` + +Feel free to adjust the file names and tags as needed for your specific context. + + From 0a310b2b5ff81284cc144e6267d925b7331d54da Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 21 Aug 2024 14:26:22 +0530 Subject: [PATCH 12/39] Update README_NEW.md --- README_NEW.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index c3b16810c..eac6e68e7 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -643,7 +643,26 @@ Note: Some versions of curl don’t attach the client certificates automatically ## 1. **Renewing TLS Certificates** +The TLS, UP and SCA certificate renewal proces is same as fresh new TLS/UP/SCA certfication generation during fresh new full onboarding you had followed . Once you get notified by TNG Support Team prior 30 daysby E-mail communication on certificate expiration, so accordinlgy you have to renew you respective certificate . + +**Validity periods** +Digital certificates contain a validity period that enforces certificate renewal. Renewal is necessary to use fresh cryptographic keys and to adapt the key sizes when improvements in computation or new attacks threaten the security of the cryptographic algorithm that is used. The shell model applies (see Section “Signing Certificate Authorities and Validation Model”). The following validity periods are recommended based on the assumption of the one-year maximum validity for Verifiable Digital Health Certificates : + +SCA: 4 years +DSC: 2 years +Upload: 1-2 years +TLS Client authentication: 1-2 years +For a timely renewal, the following usage period for the private keys are recommended: + +SCA: 1 year +DSC: 6 months +GDHCN Participants MUST create new upload certificates and TLS certificates timely, e.g. one month, before expiration in order to allow smooth operation. SCA and DSC SHOULD be renewed at least one month before the private key usage ends (considering the necessary operational procedures). GDHCN Participants MUST provide updated SCA, upload and TLS certificates to the GDHCN Secretariat. + + + ### For Production Environment: + +### **Renewing UP (TLS Certificates)** 1. **Create TLS Configuration File (`TLSClient.conf`):** ```plaintext @@ -669,6 +688,7 @@ Note: Some versions of curl don’t attach the client certificates automatically ```bash openssl req -x509 -new -days 365 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout TNP_TLS.key -nodes -out TNP_TLS.pem -config TLSClient.conf + ``` ## 2. **Renewing UP (Upload Certificates)** @@ -729,6 +749,8 @@ Note: Some versions of curl don’t attach the client certificates automatically ```bash openssl req -x509 -new -days 1461 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout CAprivkey.key -nodes -out CAcert.pem -config sca.conf + + ``` ## General Notes: @@ -737,6 +759,9 @@ Note: Some versions of curl don’t attach the client certificates automatically - Verify and update any configurations or deployment settings to use the new certificates. - Self-signed certificates are generally used for DEV and UAT environments. For production, use certificates signed by a recognized CA. + + + ## Git Commit and Tag Push ### General Steps for Committing and Tagging Renewed Certificates: From 6f23f963961132989b72dff6aee1a5457926b3af Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:05:35 +0530 Subject: [PATCH 13/39] Update README_NEW.md --- README_NEW.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index eac6e68e7..9a8e61b78 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -160,10 +160,16 @@ This repository contains the template for building [onboarding](https://github.c **Note** On DEV and UAT environment, if the files are generated using a script, delete the generated folder before committing the files. -- For Prod +## For Production: + **Concepts Certificate Preparation** This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. +**Recommendations**: + +Self-signed certificates are typically used in DEV and UAT environments. For production, it is strongly recommended to use certificates signed by a trusted Certificate Authority (CA). + + ### Elliptic Curve Public Key Certificates (ECDSA with NIST-p-256) #### SCA certificate (TNP~SCA~) generation example: > Please check [SCA Creation](https://github.com/WorldHealthOrganization/smart-trust/releases/download/v1.1.1/1.1.full-video.SCA.v2.mp4) video for reference From e2dbdab05cb93114fc693c6a9e1984dd3a083892 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:22:06 +0530 Subject: [PATCH 14/39] Create For Prod Trusted CA Certificate Recommended --- ...te Authority (CA) Certificate Recommended. | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 For Prod trusted Certificate Authority (CA) Certificate Recommended. diff --git a/For Prod trusted Certificate Authority (CA) Certificate Recommended. b/For Prod trusted Certificate Authority (CA) Certificate Recommended. new file mode 100644 index 000000000..a339dc825 --- /dev/null +++ b/For Prod trusted Certificate Authority (CA) Certificate Recommended. @@ -0,0 +1,23 @@ +Steps to Obtain and Use a CA-Signed Certificate + +1. Generate a Certificate Signing Request (CSR) +To begin, generate a CSR using the following OpenSSL command. This request will include a new private key and a configuration file: + +openssl req -new -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout CAprivkey.key -out CAreq.csr -config sca.conf + + + +CAprivkey.key: This file contains the private key. +CAreq.csr: This file contains the Certificate Signing Request. +sca.conf: This is the OpenSSL configuration file used during the CSR generation. + +2. Submit the CSR to a Public Certificate Authority (CA) +Submit the generated CAreq.csr file to the public CA of your choice. The CA will use this CSR to issue a certificate. Upon approval, the CA will provide you with: + +2. Submit CSR to the Public CA +Submit the generated CAreq.csr file to the public CA of your choice. They will use the CSR to issue a certificate. The CA will provide you with the signed certificate and possibly a certificate chain or intermediate certificates. + +3. Use the CA-Signed Certificate +Once you receive the CA-signed certificate, you will use it instead of generating a new self-signed certificate. Here’s how you can replace the placeholders with the signed certificate: +cp signed_CA_cert.pem ${subdir}/CAcert.pem +cp CAprivkey.key ${subdir}/CAprivkey.key From c40d85ed71dc9faf138307bc76405f5cadb753d4 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 14:36:15 +0530 Subject: [PATCH 15/39] Rename For Prod trusted Certificate Authority (CA) Certificate Recommended. to For Prod Trusted CA Certificate --- ...) Certificate Recommended. => For Prod Trusted CA Certificate | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename For Prod trusted Certificate Authority (CA) Certificate Recommended. => For Prod Trusted CA Certificate (100%) diff --git a/For Prod trusted Certificate Authority (CA) Certificate Recommended. b/For Prod Trusted CA Certificate similarity index 100% rename from For Prod trusted Certificate Authority (CA) Certificate Recommended. rename to For Prod Trusted CA Certificate From 7915741ac7dddd3dd1d6ab5c14fe7e833b0ade1c Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 14:41:57 +0530 Subject: [PATCH 16/39] Update and rename For Prod Trusted CA Certificate to For Prod Trusted CA Certificate.md --- ...ate => For Prod Trusted CA Certificate.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) rename For Prod Trusted CA Certificate => For Prod Trusted CA Certificate.md (67%) diff --git a/For Prod Trusted CA Certificate b/For Prod Trusted CA Certificate.md similarity index 67% rename from For Prod Trusted CA Certificate rename to For Prod Trusted CA Certificate.md index a339dc825..e87ad16a5 100644 --- a/For Prod Trusted CA Certificate +++ b/For Prod Trusted CA Certificate.md @@ -1,23 +1,24 @@ -Steps to Obtain and Use a CA-Signed Certificate +## Steps to Obtain and Use a CA-Signed Certificate -1. Generate a Certificate Signing Request (CSR) +**1. Generate a Certificate Signing Request (CSR)** To begin, generate a CSR using the following OpenSSL command. This request will include a new private key and a configuration file: +``` openssl req -new -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout CAprivkey.key -out CAreq.csr -config sca.conf +``` +**CAprivkey.key:** This file contains the private key. +C**Areq.csr:** This file contains the Certificate Signing Request. +**sca.conf:** This is the OpenSSL configuration file used during the CSR generation. -CAprivkey.key: This file contains the private key. -CAreq.csr: This file contains the Certificate Signing Request. -sca.conf: This is the OpenSSL configuration file used during the CSR generation. - -2. Submit the CSR to a Public Certificate Authority (CA) +**2. Submit the CSR to a Public Certificate Authority (CA)** Submit the generated CAreq.csr file to the public CA of your choice. The CA will use this CSR to issue a certificate. Upon approval, the CA will provide you with: -2. Submit CSR to the Public CA +**2. Submit CSR to the Public CA** Submit the generated CAreq.csr file to the public CA of your choice. They will use the CSR to issue a certificate. The CA will provide you with the signed certificate and possibly a certificate chain or intermediate certificates. -3. Use the CA-Signed Certificate +**3. Use the CA-Signed Certificate** Once you receive the CA-signed certificate, you will use it instead of generating a new self-signed certificate. Here’s how you can replace the placeholders with the signed certificate: cp signed_CA_cert.pem ${subdir}/CAcert.pem cp CAprivkey.key ${subdir}/CAprivkey.key From b424b68170369cca8440ff97030259eb0c75f1c6 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:33:00 +0530 Subject: [PATCH 17/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 9a8e61b78..1bf4dc519 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -166,9 +166,9 @@ This repository contains the template for building [onboarding](https://github.c This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. **Recommendations**: - Self-signed certificates are typically used in DEV and UAT environments. For production, it is strongly recommended to use certificates signed by a trusted Certificate Authority (CA). +This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) ### Elliptic Curve Public Key Certificates (ECDSA with NIST-p-256) #### SCA certificate (TNP~SCA~) generation example: From 733d223d45af4732a9087005d03a51fbad46cf71 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 15:38:24 +0530 Subject: [PATCH 18/39] Update README_NEW.md --- README_NEW.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 1bf4dc519..d6211df83 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -160,7 +160,7 @@ This repository contains the template for building [onboarding](https://github.c **Note** On DEV and UAT environment, if the files are generated using a script, delete the generated folder before committing the files. -## For Production: +- For Production: **Concepts Certificate Preparation** This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. @@ -169,7 +169,8 @@ This guide follows the certificate templates defined in the certificate governan Self-signed certificates are typically used in DEV and UAT environments. For production, it is strongly recommended to use certificates signed by a trusted Certificate Authority (CA). This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) - + + ### Elliptic Curve Public Key Certificates (ECDSA with NIST-p-256) #### SCA certificate (TNP~SCA~) generation example: > Please check [SCA Creation](https://github.com/WorldHealthOrganization/smart-trust/releases/download/v1.1.1/1.1.full-video.SCA.v2.mp4) video for reference From f47a0f323b6f9842148e95108dc64232d704a5af Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 16:13:29 +0530 Subject: [PATCH 19/39] Update README_NEW.md --- README_NEW.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index d6211df83..75af24c6a 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -158,18 +158,13 @@ This repository contains the template for building [onboarding](https://github.c - TLS.pem -> onboarding/DCC/TLS **Note** On DEV and UAT environment, if the files are generated using a script, delete the generated folder before committing the files. - - -- For Production: + + **For Production** **Concepts Certificate Preparation** -This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. - -**Recommendations**: -Self-signed certificates are typically used in DEV and UAT environments. For production, it is strongly recommended to use certificates signed by a trusted Certificate Authority (CA). - -This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) - +This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) + + ### Elliptic Curve Public Key Certificates (ECDSA with NIST-p-256) #### SCA certificate (TNP~SCA~) generation example: From 421037259d54132879a1556bcc2f1ae8acd9c0e8 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Mon, 2 Sep 2024 17:25:07 +0530 Subject: [PATCH 20/39] Update README_NEW.md --- README_NEW.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index 75af24c6a..df0220e35 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -219,6 +219,8 @@ extendedKeyUsage   1.3.6.1.4.1.1847.2021.1.2 for Vacination Issuers\ extendedKeyUsage   1.3.6.1.4.1.1847.2021.1.3 for Recovery Issuers\ The above example contains all three extended key usages. + + *Create a certificate signing request (CSR)* In order to create a certificate for a Document Signer, first create a Certificate Signing Request preferably on the machine that will use the certificate in order to avoid copying the private key (DSC01privkey.key) to this machine later. The CSR must contain the Distinguished Name (DN) information that will be included in the DSC. Open a command prompt and use the following command to create the CSR: ``` @@ -227,10 +229,14 @@ The above example contains all three extended key usages. If needed, you can repeat this procedure to create multiple CSRs for different DSCs (on different maschines). When prompted, enter the necessary information (e.g. C= your jurisdicion (MUST), O = your Organisation (OPTIONAL), CN = non-empty and unique CN (MUST), …). *Issue the certificate* + Copy the CSR (DSC01csr.pem) to the folder where the private key of your CA is located. Open a command prompt and use the following command to issue the DSC (DSCcert.pem): + ``` openssl x509 -req -in DSC01csr.pem -CA CAcert.pem -CAkey CAprivkey.key -CAcreateserial -days 730 -extensions ext -extfile DSC.conf -out DSCcert.pem ``` + **Important Recommendations for Prod**: Please replace your CAcert.pem and CAprivkey.key which issued by your public Trusted Certificate Authority (CA) insterad of self-signged one. + #### TNP~UP~ generation example ##### uploadCert.conf > Please check [UP Creation](https://github.com/WorldHealthOrganization/smart-trust/releases/download/v1.1.1/1.1.full-video.UP.v2.mp4) video for reference From 20bed5504a68ce620ea534df6b29c6f0ad0dbd42 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 3 Sep 2024 12:05:19 +0530 Subject: [PATCH 21/39] Update README_NEW.md --- README_NEW.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index df0220e35..d2ba8b4ea 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -160,9 +160,10 @@ This repository contains the template for building [onboarding](https://github.c **Note** On DEV and UAT environment, if the files are generated using a script, delete the generated folder before committing the files. - **For Production** -**Concepts Certificate Preparation** -This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) + **For ProductionConcepts Certificate Preparation** +This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. + + **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) From 3f49274dae02b308d33154c4e6365686a8c537af Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Tue, 3 Sep 2024 12:10:07 +0530 Subject: [PATCH 22/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index d2ba8b4ea..ade3b4737 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -766,7 +766,7 @@ GDHCN Participants MUST create new upload certificates and TLS certificates time - Make sure to replace configuration file details with your specific information. - Ensure to back up any existing certificates before renewing. - Verify and update any configurations or deployment settings to use the new certificates. -- Self-signed certificates are generally used for DEV and UAT environments. For production, use certificates signed by a recognized CA. +- Self-signed certificates are generally used for DEV and UAT environments. **For production**, use certificates signed by **Trusted Certificate Authority(CA).** From 275aeab8e9e495cae0dfac5bef8803f2a2373700 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 18:45:34 +0530 Subject: [PATCH 23/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index ade3b4737..d9d6dbe2b 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -573,7 +573,7 @@ You should see a output like: ] ``` 4) Test the other Trustlist Routes in the same style (e.g. with DSC/SCA/Upload/Authentication…) -5) Create an Document Signer Certificate and sign it by the SCA +5) Create an Document Signer Certificate and sign it by the SCA [Refer](https://github.com/arajnor99/smart-trust/blob/main/README_NEW.md#elliptic-curve-public-key-certificates-ecdsa-with-nist-p-256) 6) Create an CMS Package with the following Command: Note: Step 4 and 5 could be achived through two menthod commandline and script respectively . From 5f8279f05c93fa6ee0d06b0146f1c4c009f626d6 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 19:31:18 +0530 Subject: [PATCH 24/39] Update README_NEW.md --- README_NEW.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index d9d6dbe2b..0a004e8a6 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -192,11 +192,15 @@ This guide follows the certificate templates defined in the certificate governan keyUsage = critical, cRLSign, keyCertSign subjectKeyIdentifier = hash ``` + *Certificate generation* Open a command line prompt in the folder where the sca.conf is located and use the following OpenSSL command to create the private key (CAprivkey.key) and the certificate (CAcert.pem): +**For Prod to use** [Trusted CA issued Certificate](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) **recommended,** As below command for self-siged certificate generation as it's usually only recommened for DEV/UAT enviornment. + ``` openssl req -x509 -new -days 1461 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout CAprivkey.key -nodes -out CAcert.pem -config sca.conf ``` + #### DSC generation example Document Signer Certificates (DSCs) must be signed by the SCA. Hence, you have to create the SCA certificate (with the corresponding private key) before you can issue DSCs. From 94650623d07ef3dfba4bffcb40a98396f91be548 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 19:38:55 +0530 Subject: [PATCH 25/39] Update README_NEW.md --- README_NEW.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 0a004e8a6..0863db270 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -656,7 +656,7 @@ Note: Some versions of curl don’t attach the client certificates automatically ## 1. **Renewing TLS Certificates** -The TLS, UP and SCA certificate renewal proces is same as fresh new TLS/UP/SCA certfication generation during fresh new full onboarding you had followed . Once you get notified by TNG Support Team prior 30 daysby E-mail communication on certificate expiration, so accordinlgy you have to renew you respective certificate . +The TLS, UP and SCA certificate renewal proces is same as fresh new TLS/UP/SCA certfication generation during fresh new full onboarding you had followed . Once you get notified by TNG Support Team prior 30 days by E-mail communication on certificate expiration, so accordinlgy you have to renew your respective certificate(s) . **Validity periods** Digital certificates contain a validity period that enforces certificate renewal. Renewal is necessary to use fresh cryptographic keys and to adapt the key sizes when improvements in computation or new attacks threaten the security of the cryptographic algorithm that is used. The shell model applies (see Section “Signing Certificate Authorities and Validation Model”). The following validity periods are recommended based on the assumption of the one-year maximum validity for Verifiable Digital Health Certificates : @@ -811,5 +811,7 @@ GDHCN Participants MUST create new upload certificates and TLS certificates time Feel free to adjust the file names and tags as needed for your specific context. +Once done everything inform TNG-Support Team by email + From d6af7e8656094e24604c0df6d80a4af68312fa38 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:15:30 +0530 Subject: [PATCH 26/39] Update README_NEW.md --- README_NEW.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index 0863db270..bf4a6bee9 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -814,4 +814,32 @@ Feel free to adjust the file names and tags as needed for your specific context. Once done everything inform TNG-Support Team by email + +## Steps to Obtain and Use a CA-Signed Certificate + +**1. Generate a Certificate Signing Request (CSR)** +To begin, generate a CSR using the following OpenSSL command. This request will include a new private key and a configuration file: + +``` +openssl req -new -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout CAprivkey.key -out CAreq.csr -config sca.conf +``` + + +**CAprivkey.key:** This file contains the private key. +C**Areq.csr:** This file contains the Certificate Signing Request. +**sca.conf:** This is the OpenSSL configuration file used during the CSR generation. + +**2. Submit the CSR to a Public Certificate Authority (CA)** +Submit the generated CAreq.csr file to the public CA of your choice. The CA will use this CSR to issue a certificate. Upon approval, the CA will provide you with: + +**2. Submit CSR to the Public CA** +Submit the generated CAreq.csr file to the public CA of your choice. They will use the CSR to issue a certificate. The CA will provide you with the signed certificate and possibly a certificate chain or intermediate certificates. + +**3. Use the CA-Signed Certificate** +Once you receive the CA-signed certificate, you will use it instead of generating a new self-signed certificate. Here’s how you can replace the placeholders with the signed certificate: +cp signed_CA_cert.pem ${subdir}/CAcert.pem +cp CAprivkey.key ${subdir}/CAprivkey.key + + + From 4e4d63330d9cf4d50cbeca77a23ed0805823975a Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:18:42 +0530 Subject: [PATCH 27/39] Update README_NEW.md --- README_NEW.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index bf4a6bee9..32a4092b2 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -841,5 +841,8 @@ cp signed_CA_cert.pem ${subdir}/CAcert.pem cp CAprivkey.key ${subdir}/CAprivkey.key +[Link](https://github.com/arajnor99/smart-trust/blob/d6af7e8656094e24604c0df6d80a4af68312fa38/README_NEW.md?plain=1#L818) + + From 7415a1cd3ad8371c227b3aa30c722a4f68daf66a Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:26:00 +0530 Subject: [PATCH 28/39] Update README_NEW.md --- README_NEW.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 32a4092b2..a853af5be 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -841,7 +841,6 @@ cp signed_CA_cert.pem ${subdir}/CAcert.pem cp CAprivkey.key ${subdir}/CAprivkey.key -[Link](https://github.com/arajnor99/smart-trust/blob/d6af7e8656094e24604c0df6d80a4af68312fa38/README_NEW.md?plain=1#L818) From c8f05fb6fd1e9504df20f02eb042601cecec9712 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:52:04 +0530 Subject: [PATCH 29/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index a853af5be..2848a5120 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -840,7 +840,7 @@ Once you receive the CA-signed certificate, you will use it instead of generatin cp signed_CA_cert.pem ${subdir}/CAcert.pem cp CAprivkey.key ${subdir}/CAprivkey.key - +[Jump to Steps to Obtain and Use a CA-Signed Certificate](#steps-to-obtain-and-use-a-ca-signed-certificate) From 3baee39ab4ba5593f2b1a6cf7e3b359561093b1c Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:59:57 +0530 Subject: [PATCH 30/39] Update README_NEW.md --- README_NEW.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README_NEW.md b/README_NEW.md index 2848a5120..0a875fb19 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -164,6 +164,7 @@ This repository contains the template for building [onboarding](https://github.c This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) + [Jump to Steps to Obtain and Use a CA-Signed Certificate](#steps-to-obtain-and-use-a-ca-signed-certificate) From 21144b4a72928f44022647f639f9111bc448f1ff Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:03:06 +0530 Subject: [PATCH 31/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 0a875fb19..b6dff03e9 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -164,7 +164,7 @@ This repository contains the template for building [onboarding](https://github.c This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) - [Jump to Steps to Obtain and Use a CA-Signed Certificate](#steps-to-obtain-and-use-a-ca-signed-certificate) + [Reference- Recommendation to use Trusted Public CA Certificate in Prod](#steps-to-obtain-and-use-a-ca-signed-certificate) From 0fba2d7baed69630695e34a875cac3e6f7452a19 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:04:31 +0530 Subject: [PATCH 32/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index b6dff03e9..4ea98083e 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -163,7 +163,7 @@ This repository contains the template for building [onboarding](https://github.c **For ProductionConcepts Certificate Preparation** This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed. Self-signed certificates are typically used in DEV and UAT environments. - **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions.[Reference- Recommendation to use Trusted Public CA Certificate in Prod](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) + **For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions [Reference- Recommendation to use Trusted Public CA Certificate in Prod](#steps-to-obtain-and-use-a-ca-signed-certificate) From a9717ed6364f0b90cfdd3215c38e07271b38c34f Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:23:01 +0530 Subject: [PATCH 33/39] Update README_NEW.md --- README_NEW.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README_NEW.md b/README_NEW.md index 4ea98083e..753c080fa 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -196,8 +196,8 @@ This guide follows the certificate templates defined in the certificate governan *Certificate generation* Open a command line prompt in the folder where the sca.conf is located and use the following OpenSSL command to create the private key (CAprivkey.key) and the certificate (CAcert.pem): -**For Prod to use** [Trusted CA issued Certificate](https://github.com/arajnor99/smart-trust/blob/main/For%20Prod%20%20Trusted%20CA%20Certificate.md) **recommended,** As below command for self-siged certificate generation as it's usually only recommened for DEV/UAT enviornment. - +**For Prod to use** [Trusted CA issued Certificated](#steps-to-obtain-and-use-a-ca-signed-certificate) **recommended,** As below command for self-siged certificate generation as it's usually only recommened for DEV/UAT enviornment. + ``` openssl req -x509 -new -days 1461 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout CAprivkey.key -nodes -out CAcert.pem -config sca.conf ``` @@ -841,7 +841,7 @@ Once you receive the CA-signed certificate, you will use it instead of generatin cp signed_CA_cert.pem ${subdir}/CAcert.pem cp CAprivkey.key ${subdir}/CAprivkey.key -[Jump to Steps to Obtain and Use a CA-Signed Certificate](#steps-to-obtain-and-use-a-ca-signed-certificate) + From 932b62b56b18fe7dd79c4ef0c5b67077bddf716b Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:42:24 +0530 Subject: [PATCH 34/39] Update README_NEW.md --- README_NEW.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README_NEW.md b/README_NEW.md index 753c080fa..189d3deff 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -843,6 +843,8 @@ cp CAprivkey.key ${subdir}/CAprivkey.key +[DSC JUMP](#### DSC generation example) + From c4b95263e71d2c088e40cf0609144c5b4ed38ab2 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:47:43 +0530 Subject: [PATCH 35/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 189d3deff..20de8641d 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -843,7 +843,7 @@ cp CAprivkey.key ${subdir}/CAprivkey.key -[DSC JUMP](#### DSC generation example) +[Jump to DSC generation example](#dsc-generation-example) From 512b5334c23744b933f1afb0ea385a222a246ec5 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:51:03 +0530 Subject: [PATCH 36/39] Update README_NEW.md --- README_NEW.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 20de8641d..10b79f734 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -580,7 +580,8 @@ You should see a output like: 4) Test the other Trustlist Routes in the same style (e.g. with DSC/SCA/Upload/Authentication…) 5) Create an Document Signer Certificate and sign it by the SCA [Refer](https://github.com/arajnor99/smart-trust/blob/main/README_NEW.md#elliptic-curve-public-key-certificates-ecdsa-with-nist-p-256) 6) Create an CMS Package with the following Command: - Note: Step 4 and 5 could be achived through two menthod commandline and script respectively . + Note: Step 5 and 6 could be achived through two menthod commandline [Commandline reference](#dsc-generation-example) + and script respectively . **Method 1 - Commandline .** ``` From 589d9cd9e1b9fbc2afbb26789e7c02afa6a14497 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 21:52:27 +0530 Subject: [PATCH 37/39] Update README_NEW.md --- README_NEW.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index 10b79f734..e2eb83013 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -844,7 +844,6 @@ cp CAprivkey.key ${subdir}/CAprivkey.key -[Jump to DSC generation example](#dsc-generation-example) From 11211ad15552b7622dbc769156c8df5d64334966 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 22:32:31 +0530 Subject: [PATCH 38/39] Update README_NEW.md --- README_NEW.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_NEW.md b/README_NEW.md index e2eb83013..cff92a4c1 100644 --- a/README_NEW.md +++ b/README_NEW.md @@ -813,7 +813,7 @@ GDHCN Participants MUST create new upload certificates and TLS certificates time Feel free to adjust the file names and tags as needed for your specific context. -Once done everything inform TNG-Support Team by email +Once you done with nrewal of your certificates(s) then inform TNG-Support Team by email From 54ec17c9db757a5fadd424f4255828287b836229 Mon Sep 17 00:00:00 2001 From: arajnor99 <153087310+arajnor99@users.noreply.github.com> Date: Wed, 4 Sep 2024 22:34:37 +0530 Subject: [PATCH 39/39] Delete For Prod Trusted CA Certificate.md --- For Prod Trusted CA Certificate.md | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 For Prod Trusted CA Certificate.md diff --git a/For Prod Trusted CA Certificate.md b/For Prod Trusted CA Certificate.md deleted file mode 100644 index e87ad16a5..000000000 --- a/For Prod Trusted CA Certificate.md +++ /dev/null @@ -1,24 +0,0 @@ -## Steps to Obtain and Use a CA-Signed Certificate - -**1. Generate a Certificate Signing Request (CSR)** -To begin, generate a CSR using the following OpenSSL command. This request will include a new private key and a configuration file: - -``` -openssl req -new -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout CAprivkey.key -out CAreq.csr -config sca.conf -``` - - -**CAprivkey.key:** This file contains the private key. -C**Areq.csr:** This file contains the Certificate Signing Request. -**sca.conf:** This is the OpenSSL configuration file used during the CSR generation. - -**2. Submit the CSR to a Public Certificate Authority (CA)** -Submit the generated CAreq.csr file to the public CA of your choice. The CA will use this CSR to issue a certificate. Upon approval, the CA will provide you with: - -**2. Submit CSR to the Public CA** -Submit the generated CAreq.csr file to the public CA of your choice. They will use the CSR to issue a certificate. The CA will provide you with the signed certificate and possibly a certificate chain or intermediate certificates. - -**3. Use the CA-Signed Certificate** -Once you receive the CA-signed certificate, you will use it instead of generating a new self-signed certificate. Here’s how you can replace the placeholders with the signed certificate: -cp signed_CA_cert.pem ${subdir}/CAcert.pem -cp CAprivkey.key ${subdir}/CAprivkey.key