I have found explanation in [ Need explanation about KeyId/CertId/CertPathId/PassPhraseId ][1], and i use command
openssl dgst -sha1 -c -hex self_signed.crt
openssl dgst -sha1 -c -hex new_rsa_pub.keyto create KeyId/CertId/CertPathId, it works fine in Keystore and Certificate Management cases. But in TLS Server cases, especially in Test Case ADVANCED_SECURITY-3-2-3, step 18,
ONVIF Client verifies basic TLS handshake with expecting Server Certificate (in certPathID)using specified port (in portHTTPS) by following the procedure mentioned in Annex A.21.
and in Annex A.21, the Certificate in ServerHello message:
The DUT TLS server responds Certificate message with parameters
- Certificate.CertificateID =: CertificateID
- Certificate.KeyID =: KeyID
Seems the KeyID/CertificateID must contain in the tls server's Certificate files and the KeyID/CertificateID must equal to the IDs which created by the command above...Nothing unexpected, the test failed...
So what exactly does keyID/CertificateID mean? How can i create these IDs with openssl?
thks!
1 Answer
As you can see in the source of advancedsecurity.wsdl, KeyID and CertificateID are defined as:
<xs:simpleType name="KeyID"> <xs:annotation> <xs:documentation>Unique identifier for keys in the keystore.</xs:documentation> </xs:annotation> <xs:restriction base="xs:NCName"> <xs:maxLength value="64"/> </xs:restriction>
</xs:simpleType>
<xs:simpleType name="CertificateID"> <xs:annotation> <xs:documentation>Unique identifier for certificates in the keystore.</xs:documentation> </xs:annotation> <xs:restriction base="xs:NCName"> <xs:maxLength value="64"/> </xs:restriction>
</xs:simpleType>As you can see, they are strings that you can freely define to identify keys and certificates.