To create a cryptography.x509.PrecertificateSignedCertificateTimestamps, I need a list of certificate_transparency.SignedCertificateTimestamp, but I don't know how to do that, and what kind of information I need.
I'm making x509 certificate on my own, and all the information in the certificate are not real. I did this first:
PrecertificateSignedCertificateTimestamps = x509.PrecertificateSignedCertificateTimestamps(
and then I find that:
oid = ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
and then I find
def version(self) -> Version:
Returns the SCT version.
def log_id(self) -> bytes:
Returns an identifier indicating which log this SCT is for.
def timestamp(self) -> datetime.datetime:
Returns the timestamp for this SCT.
def entry_type(self) -> LogEntryType:
Returns whether this is an SCT for a certificate or pre-certificate.
I find the relationship of these objects, but I don't know how to make it.
There's some information about making requests to Let's Encrypt test CT servers in their documentation, and an explanation of how the SCT gets encoded in a linked blog post:
But really it would just be if you're nosy and curious about the internals. I don't think any browser requires SCTs for private CAs, as the whole point of the CT ecosystem is around publicly-trusted CAs. So in any X509 certificate you're making for test purposes, you can just not include SCTs and it will likely make your life much easier.
Thank you very much, I think I can make the SCT after reading these artical. I'm trying to do some job like parsing certificate and making Threatening certificates，maybe I need to do this annoying thing.I’m grateful for your help.
What is the exact purpose of this? As @petercooperjr noted, browsers generally don't require SCTs for private CAs. SCTs are only even supported in a handful of browsers. So you'll go through all this work (which may require setting up a publicly accessible CT log) to end up with a Certificate that can only potentially be tested in a handful of browsers, but none of them are likely to even care about the SCT information.
Phrasing this another way, properly testing/using this would mean not just creating an SCT but making it publicly accessible. That is a lot of effort and moving parts.
They may be a much simpler approach to your goals if you can share them.
And for that matter, existing public CT logs won't accept certificates from issuers that the log operators don't believe are likely to be publicly trusted.
I think that's the main reason @jvanasco indicated that
Exactly. Testing this "ecosystem" isn't just going to be forging an SCT, but also hosting the CT log the SCT references. This is a lot of work.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.