{"id":46,"date":"2009-05-11T09:01:03","date_gmt":"2009-05-11T09:01:03","guid":{"rendered":"http:\/\/www.eriugena.org\/blog\/?p=46"},"modified":"2009-05-11T09:33:45","modified_gmt":"2009-05-11T09:33:45","slug":"how-to-prove-a-root-certificate-part-2","status":"publish","type":"post","link":"http:\/\/www.eriugena.org\/blog\/?p=46","title":{"rendered":"How to prove a Root Certificate &#8211; part 2"},"content":{"rendered":"<p>Another way to prove the authenticity of the Root Certificate is to\u00c2\u00a0publish it signed by a certificate issued by a previously trusted PKI. This can be useful in the case where a\u00c2\u00a0PKI is being established to replace a legacy system.\u00c2\u00a0<\/p>\n<p>I have previously used the Mozilla NSS tool <a target=\"_blank\" href=\"http:\/\/www.mozilla.org\/projects\/security\/pki\/nss\/tools\/cmsutil.html\">CMSUTIL<\/a> to sign\u00c2\u00a0a data file but\u00c2\u00a0this time I decided to write a program using the Microsoft CryptoAPI on Windows because that it less sensitive to expired certificates. NSS CMSUTIL will not validate the signature if the signing certificate has expired and that could be a problem in this case as we are using a certificate from a legact PKI to sign the\u00c2\u00a0Root Certificate of the replacement PKI.<\/p>\n<p>Here is the <a target=\"_blank\" href=\"http:\/\/www.ietf.org\/rfc\/rfc2630.txt\">CMS<\/a> signed data blob containing the Root Certificate\u00c2\u00a0<a href=\"http:\/\/www.eriugena.org\/blog\/wp-content\/uploads\/2009\/05\/cmssigned.dat\" title=\"cmssigned.dat\">cmssigned.dat<\/a>\u00c2\u00a0<\/p>\n<p>You can verify the signature and examine the signing certificate using this program <a href=\"http:\/\/www.eriugena.org\/blog\/wp-content\/uploads\/2009\/05\/cms-verify.cpp\" title=\"cms-verify.cpp\">cms-verify.cpp<\/a>\u00c2\u00a0and for completeness here is the program that I used to sign it <a href=\"http:\/\/www.eriugena.org\/blog\/wp-content\/uploads\/2009\/05\/cms-sign.cpp\" title=\"cms-sign.cpp\">cms-sign.cpp<\/a>\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another way to prove the authenticity of the Root Certificate is to\u00c2\u00a0publish it signed by a certificate issued by a previously trusted PKI. This can be useful in the case where a\u00c2\u00a0PKI is being established to replace a legacy system.\u00c2\u00a0 I have previously used the Mozilla NSS tool CMSUTIL to sign\u00c2\u00a0a data file but\u00c2\u00a0this time [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-46","post","type-post","status-publish","format-standard","hentry","category-crypto"],"_links":{"self":[{"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/46","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46"}],"version-history":[{"count":0,"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.eriugena.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}