Skip to content

Commit 1fedb9c

Browse files
Yu-Ma28051503Yu-Ma28051503
committed
Add Chimera cert usage to README.md
1 parent 4952dc4 commit 1fedb9c

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

README.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,43 @@ wolfssl verify -CAfile A.cert B.cert
157157
wolfssl verify -CAfile A.cert C.cert
158158
```
159159

160+
### Creating Chimera Certificates
161+
162+
Following is a scenario creating Chimera (dual algorithms) certificates for PQC(Post Quantum Cryptography).
163+
164+
The following demonstrates how to create a root CA and use it to sign other certificates. This example uses ECC and ML-DSA. In this scenario there are three entities A, B, and C, where A is meant to function as a root CA.
165+
166+
The following steps demonstrate how to generate keys and certificates for A, B, and C, where A is self-signed and B and C are signed by A
167+
168+
1. Create private ECC and ML-DSA keys for A, B, and C
169+
```
170+
wolfssl genkey -ecc -out ecc-key-A -output priv -outform PEM
171+
wolfssl genkey -ecc -out ecc-key-B -output priv -outform PEM
172+
wolfssl genkey -ecc -out ecc-key-C -output priv -outform PEM
173+
wolfssl genkey -ml-dsa -out ml-dsa-key-A -output keypair -outform PEM
174+
wolfssl genkey -ml-dsa -out ml-dsa-key-B -output keypair -outform PEM
175+
wolfssl genkey -ml-dsa -out ml-dsa-key-C -output keypair -outform PEM
176+
```
177+
178+
2. Create a self-signed conventional certificate for A, root CA certificate.
179+
```
180+
wolfssl req -new -key ecc-key-A.priv -subj O=org-A/C=US/ST=WA/L=Seattle/CN=A/OU=org-unit-A -x509 -out A.cert -outform PEM
181+
wolfssl ca -altextend -in A.cert -keyfile ecc-key-A.priv -altkey ml-dsa-key-A.priv -altpub ml-dsa-key-A.pub -out A-chimera.cert
182+
```
183+
184+
3. Create certificates for B and C.
185+
```
186+
# first create conventional certificate signing request (CSR) for B and C
187+
wolfssl req -new -key ecc-key-B.priv -subj O=org-B/C=US/ST=WA/L=Seattle/CN=B/OU=org-unit-B -out B.csr -outform PEM
188+
wolfssl req -new -key ecc-key-C.priv -subj O=org-C/C=US/ST=WA/L=Seattle/CN=C/OU=org-unit-C -out C.csr -outform PEM
189+
190+
# now have conventional signed certs, then add a pub key and Chimera signs the B and C to generate Chimera certificates
191+
wolfssl ca -in B.csr -keyfile ecc-key-A.priv -cert A.cert -out B.cert
192+
wolfssl ca -in C.csr -keyfile ecc-key-B.priv -cert B.cert -out C.cert
193+
wolfssl ca -altextend -in B.cert -keyfile ecc-key-A.priv -altkey ml-dsa-key-A.priv -altpub ml-dsa-key-B.pub -subjkey ecc-key-B.priv -cert A-chimera.cert -out B-chimera.cert
194+
wolfssl ca -altextend -in C.cert -keyfile ecc-key-B.priv -altkey ml-dsa-key-B.priv -altpub ml-dsa-key-C.pub -subjkey ecc-key-C.priv -cert B-chimera.cert -out C-chimera.cert
195+
```
196+
160197
## Contacts
161198

162199
Please contact [email protected] with any questions or comments.

0 commit comments

Comments
 (0)