/spid-compliant-certificates

Solution to create self-signed certificates according to Avviso SPID n.29

Primary LanguageShellMIT LicenseMIT

SPID Compliant Certificate

The repository contains a solution to create X.509 certificates according to Avviso SPID n.29 v3.

NOTE: Python native implementation available at https://github.com/italia/spid-compliant-certificates-python

NOTE: The solution is provided "AS-IS" and does not represent an official implementation from Agenzia per l'Italia Digitale

Private key, CSR and self-signed certificate for public sector (with Docker)

  1. Create and edit the docker.env file according to your needs (see Configuration parameters)

    $ cp public.env.example docker.env
    $ editor docker.env
    
  2. Run the script gencert-with-docker.sh

    $ chmod +x gencert-with-docker.sh
    $ ./gencert-with-docker.sh
    
  3. Enjoy with your new private key (key.pem) and self-signed certificate (crt.pem)

    $ ls ./generated-certs/
    crt.pem  csr.pem  key.pem
    

    NOTE: This generates also a certificate signing request (csr.pem) that can be submitted to AgID in order to obtain a signed certificate.

Private key, CSR and self-signed certificate for public sector

  1. Run the following commands to configure the environment according to your needs (see Configuration parameters)

    $ cat > myenv.sh <<EOF
    export COMMON_NAME="Comune di Roma"
    export DAYS="3650"
    export ENTITY_ID="https://spid.comune.roma.it/metadata"
    export KEY_LEN="3072"
    export LOCALITY_NAME="Roma"
    export MD_ALG="sha512"
    export ORGANIZATION_IDENTIFIER="PA:IT-c_h501"
    export ORGANIZATION_NAME="Comune di Roma"
    EOF
    $ chmod +x myenv.sh && source myenv.sh
    
  2. Generate the private key (key.pem), the self-signed certificate (crt.pem) and the certificate signing request (csr.pem) with the following command

    $ chmod +x gencert-public.sh
    $ ./gencert-public.sh
    

    The output produced by the script (see the ASN.1 dumps) allows to check if the specifications were honoured.

Private key, CSR and self-signed certificate for public sector with interactive mode

  1. Generate the private key (key.pem), the self-signed certificate (crt.pem) and the certificate signing request (csr.pem) with the following command

    $ chmod +x gencert-public.sh
    $ ./gencert-public.sh -i
    

Private key and CSR for private sector (with Docker)

  1. Create and edit the docker.env file according to your needs (see Configuration parameters)

    $ cp private.env.example docker.env
    $ editor docker.env
    
  2. Run the script gencert-with-docker.sh

    $ chmod +x gencert-with-docker.sh
    $ ./gencert-with-docker.sh
    
  3. Enjoy with your new private key (key.pem) and CSR (csr.pem)

    $ ls ./generated-certs/
    csr.pem  key.pem
    

Private key and CSR for private sector

  1. Run the following commands to configure the environment according to your needs

    $ cat > myenv.sh <<EOF
    export COMMON_NAME="Comune di Roma"
    export ENTITY_ID="https://spid.comune.roma.it/metadata"
    export KEY_LEN="3072"
    export LOCALITY_NAME="Roma"
    export MD_ALG="sha256"
    export ORGANIZATION_IDENTIFIER="VATIT-02438750586"
    export ORGANIZATION_NAME="Comune di Roma"
    EOF
    $ chmod +x myenv.sh && source myenv.sh
    
  2. Generate the private key (key.pem) and the certificate signing request (csr.pem) with the following command

    $ chmod +x gencert-private.sh
    $ ./gencert-private.sh
    

Validate the certificate

The following steps can be followed to verify the compliancy of certificates generated with the tools in this repository and certificates generated/obtained from third parties.

With Docker

Run the script validate-crt-with-docker.sh

$ chmod +x validate-crt-with-docker.sh
$ ./validate-crt-with-docker.sh

By default, it will validate the certificate at

generated-certs/crt.pem

Such a default path can be modified by setting the CERT_FILE envvar

$ chmod +x validate-crt-with-docker.sh
$ CERT_FILE=/absolute/path/to/your/crt.pem ./validate-crt-with-docker.sh

NOTE: The first script execution could take some time, because the Docker image needs to be built. Following execution will be immediate.

With command line

Install the required Python packages

$ cd validator
$ pip install -r requirements.txt

Run the Python tests suite

$ ./validator.py

By default, it will validate the certificate at

./crt.pem

Such a default path can be modified by setting the CERT_FILE envvar

$ CERT_FILE=/path/to/your/crt.pem ./validator.py

Configuration parameters

This section documents the configuration parameters that can be set as environment variable.

Commons

  • COMMON_NAME: short name of the service provider (example: AgID, default: "")

  • ENTITY_ID: value of the entityID attribute in <EntityDescriptor> element (example: https://spid.agid.gov.it, default: "")

  • KEY_LEN: length of the private key (allowd values: [2048, 3072, 4096], default: 2048)

  • LOCALITY_NAME: extended name of the locality (example: Roma, default: "")

  • MD_ALG: digest algorithm to be used (allowed values: [sha256, sha512], default: sha256)

  • ORGANIZATION_NAME: extended name of the service provider (example: Agenzia per l'Italia Digitale, default: "")

Public sector specific

  • DAYS: validity of the self-signed certificate (example: 3650, default: 730)

  • ORGANIZATION_IDENTIFIER: service provider identifier in the form of PA:IT-<IPA Code> (example: PA:IT-c_h501, default: "")

Private sector specific

  • ORGANIZATION_IDENTIFIER: service provider identifier in the form of VATIT-<partita iva> or CF:IT-<codice fiscale> (example: VATIT-12345678901, default: "")