mirror of https://github.com/shred/acme4j
Fix tls-alpn-01 certificate generation
parent
8358c1513a
commit
3b7aa20759
|
@ -32,6 +32,7 @@ import javax.annotation.ParametersAreNonnullByDefault;
|
|||
import javax.annotation.WillClose;
|
||||
|
||||
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
||||
import org.bouncycastle.asn1.DEROctetString;
|
||||
import org.bouncycastle.asn1.x500.X500Name;
|
||||
import org.bouncycastle.asn1.x509.Extension;
|
||||
import org.bouncycastle.asn1.x509.GeneralName;
|
||||
|
@ -120,7 +121,7 @@ public final class CertificateUtils {
|
|||
gns[0] = new GeneralName(GeneralName.dNSName, subject);
|
||||
certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns));
|
||||
|
||||
certBuilder.addExtension(ACME_VALIDATION_V1, true, acmeValidationV1);
|
||||
certBuilder.addExtension(ACME_VALIDATION_V1, true, new DEROctetString(acmeValidationV1));
|
||||
|
||||
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg);
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@ import java.util.List;
|
|||
import java.util.Set;
|
||||
|
||||
import org.bouncycastle.asn1.ASN1InputStream;
|
||||
import org.bouncycastle.asn1.BERTags;
|
||||
import org.bouncycastle.asn1.DEROctetString;
|
||||
import org.bouncycastle.asn1.x509.GeneralName;
|
||||
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
|
||||
|
@ -111,7 +112,13 @@ public class CertificateUtilsTest {
|
|||
|
||||
try (ASN1InputStream asn = new ASN1InputStream(new ByteArrayInputStream(encodedExtensionValue))) {
|
||||
DEROctetString derOctetString = (DEROctetString) asn.readObject();
|
||||
assertThat(derOctetString.getOctets(), is(acmeValidationV1));
|
||||
|
||||
byte[] test = new byte[acmeValidationV1.length + 2];
|
||||
test[0] = BERTags.OCTET_STRING;
|
||||
test[1] = (byte) acmeValidationV1.length;
|
||||
System.arraycopy(acmeValidationV1, 0, test, 2, acmeValidationV1.length);
|
||||
|
||||
assertThat(derOctetString.getOctets(), is(test));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.TYPE);
|
|||
byte[] acmeValidationV1 = challenge.getAcmeValidationV1();
|
||||
```
|
||||
|
||||
You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as octet string extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical.
|
||||
You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as DER encoded `OCTET STRING` extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical.
|
||||
|
||||
After that, configure your web server so it will use this certificate on an incoming TLS request having the SNI `subject` and the ALPN protocol `acme-tls/1`.
|
||||
|
||||
|
|
Loading…
Reference in New Issue