Order a new certificate

This section will cover the steps necessary to create a Stir/Shaken certificate.

Certificate private key

A private key for the certificate must be created using EC P-256 algorithm. This can be done using OpenSSL library for the selected programming language, or using the CLI tool:

openssl ecparam -genkey -name prime256v1 -out ./private_key.pem

ACME server does not support other encryption algorithms, as well as other types of Elliptic Curves.

TNAuthList

Every STIR/SHAKEN SP certificate must include a TNAuthList extension (OID 1.3.6.1.5.5.7.1.26), defined in RFC 8226.

The extension should contain a unique Service Provider account code (OCN):

asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:<OCN>

TNAuthList value, used in the ACME HTTP requests, is a base64-encoded extension ASN.1 object.

For example, for OCN 616H X509v3 extension will be:

asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:616H

And the base64-encoded TNAuthList value for HTTP requests:

MAigxxYEODE4SA==

How to generate "TNAuthList value"

tkvalue is a base64-encoded X509 extension and you can create it using openssl CLI tool with the following steps:

Step 1: Create ssl .conf file

cat << EOF > tnauthlist.conf
asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:<UPPERCASE OCN>
EOF

Step 2: Create extension

openssl asn1parse -genconf tnauthlist.conf -noout -out tnauthlist.der

Step 3: Encode

cat tnauthlist.der | base64

Here is a full example:

% cat << EOF > tnauthlist.conf
asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:818H
EOF

% openssl asn1parse -genconf tnauthlist.conf -noout -out tnauthlist.der

% cat tnauthlist.der | base64
MAigBhYEODE4SA==

Order creation

To submit a new certificate order, ACME client should send a POST request to the newOrder URL with a set of parameters in the payload:

identifiers (mandatory) - contains TNAuthList value
notBefore (optional) - desired notBefore value of the created certificate
notAfter (optional) - desired notAfter value

Mandatory parameter "identifiers" must be a JSON array with a single TNAuthList value object:

{
  "type" : "TNAuthList",
  "value" : "MAigxxxxxDE4SA=="
}

Optional parameters notBefore and notAfter should have a RFC 3339 timestamp format (2022-01-15T00:00:01Z). If not set, certificate will be issued with the default lifespan of 1 year.

Example of the New Order request:

POST https://stica.peeringhub.io/acme/new-order

Content-Type: application/jose+json
Content-Length: 572
{
  "protected" : BASE64URL(
    {
      "alg" : "ES256",
      "nonce" : "497685E333B24DEFBEDEB5D5A595FF28",
      "url" : "https://stica.peeringhub.io/acme/new-order",
      "kid" : "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : BASE64URL(
    {
      "identifiers" : [{ "type" : "TNAuthList", "value" : "MAigBhYEODE4SA==" }],
      "notBefore" : "2022-08-08T21:48:20Z",
      "notAfter" : "2022-08-08T21:53:20Z"
    }
  ),
  "signature" : "<base64url-encoded signature>"
}

On success, ACME server should return a new ACME Order object, and ACME Order URL in the Location header:

HTTP/1.1 201 Created
Location: https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0
Replay-Nonce: 51029A7B34EC4F2280ECD2A6EC4E3C04
Content-Type: application/json; charset=utf-8
Content-Length: 395
{
  "status" : "pending",
  "expires" : "2022-08-09T21:49:43Z",
  "identifiers" : [{ "type" : "TNAuthList", "value" : "MAigBhYEODE4SA==" }],
  "notBefore" : "2022-08-08T21:48:20Z",
  "notAfter" : "2022-08-08T21:53:20Z",
  "error" : null,
  "authorizations" : [ "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB" ],
  "finalize" : "https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0/finalize"
}

ACME Client may get the ACME Order object by sending a POST request with an empty payload to the ACME order URL:

POST https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0

Content-Type: application/jose+json
Content-Length: 430
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "B106476126104951AC9177221C508154",
      "url": "https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : "",
  "signature" : "<base64url-encoded signature>"
}

ACME Order object should contain:

Order status
Expiration time
ACME Order Challenge URL in the "authorizations" array
CSR submission URL in the "finalize" parameter

The possible values of the ACME Order status are:

"pending" - waiting for challenge submission
"ready" - user has passed the challenge; waiting for CSR submission
"processing" - creating a certificate
"valid" - certificate is ready for downloading
"invalid" - indicates an error

On failure, the "error" parameter must contain a problem document in a format, described in RFC 7807. The full list of registered error types can be found in the IANA database: https://www.iana.org/assignments/acme/acme.xhtml

Challenge

After submitting a new order, ACME client must acquire ACME Order Challenge, using URL from "authorizations" array of ACME order object.

POST https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB
Content-Type: application/jose+json
Content-Length: 430
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "51029A7B34EC4F2280ECD2A6EC4E3C04",
      "url": "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : "",
  "signature" : "<base64url-encoded signature>"
}

Server should reply with an ACME Challenge object:

HTTP/1.1 200 OK
Replay-Nonce: 46660A480C68453EBB4553C46979B18D
Content-Type: application/json; charset=utf-8
Content-Length: 319
{
  "status": "pending",
  "expires": "2022-08-09T21:49:43Z",
  "identifier": {
    "type": "TNAuthList",
    "value": "MAigBhYEODE4SA=="
  },
  "challenges": [
    {
      "type": "tkauth-01",
      "tkauth-type": "atc",
      "url": "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB/0",
      "token": "45C55E0C1F224377A2DC43915715F426",
      "status": "pending"
    }
  ]
}

ACME Challenge object must contain a submission URL, and the current status of the ACME Challenge, which can be one of:

"pending" - waiting for the challenge submission
"processing" - validating submitted data
"valid" - user has successfully passed the challenge
"invalid" - an error has occurred during challenge processing

If status is "invalid", the "error" parameter must identify the rejection reason.

The "url" parameter represents ACME Challenge Submission URL.

Challenge submission

To prove ownership of the STI-SP account, ACME client must submit a fresh SPC token to the ACME Challenge Submission URL.

SPC token is a JWT (RFC 7519), signed by the STI Policy Administrator (Iconectiv) with mandatory parameters in the payload:

TNAuthList list value
CA flag (whether this SPC token is suitable for issuing End-Entity certificates, or for issuing CA certificates)
SHA256 fingerprint of the ACME Account key

SPC token payload example for regular (End-Entity) certificates:

{
  "exp": 1660523818,
  "jti": "980b0430-1e88-4f0f-91e8-749ad9251851",
  "atc": {
    "tktype": "TNAuthList",
    "tkvalue": "MAigBhYEODE4SA==",
    "ca": false,
    "fingerprint": "SHA256 D8:FC:D2:1E:52:7E:85:A5:DB:34:1F:0A:0A:67:17:55:70:9A:A1:50:34:16:BF:E6:E5:AB:AD:84:73:73:E8:A8"
  }
}

ACME client must submit a SPC token to the Challenge submission URL:

POST https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB/0
Content-Type: application/jose+json
Content-Length: 1236
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "46660A480C68453EBB4553C46979B18D",
      "url": "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB/0",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : BASE64URL(
    {
      "atc": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXV0aGVudGljYXRlLWFwaS1zdGcuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jZXJ0aWZpY2F0ZS9jZXJ0aWZpY2F0ZUlkXzk4MTYwLmNydCJ9.eyJleHAiOjE2NjA2MDAyMTUsImp0aSI6IjdkOGYzY2VhLTEwMzUtNDA2OC1hMjg1LThkMzg3ODJkNmU4MSIsImF0YyI6eyJ0a3R5cGUiOiJUTkF1dGhMaXN0IiwidGt2YWx1ZSI6Ik1BaWdCaFlFT0RFNFNBPT0iLCJjYSI6ZmFsc2UsImZpbmdlcnByaW50IjoiU0hBMjU2IEQ4OkZDOkQyOjFFOjUyOjdFOjg1OkE1OkRCOjM0OjFGOjBBOjBBOjY3OjE3OjU1OjcwOjlBOkExOjUwOjM0OjE2OkJGOkU2OkU1OkFCOkFEOjg0OjczOjczOkU4OkE4In19.mfplwqUd3Usc6cRmduAQQrkJm8Va1dEDkkBB8ev5x5y7IOcwizpQ940PXkv007QQrcH2SdrJcEZzpJf2EY4l0A"
    }
  ),
  "signature" : "<base64url-encoded signature>"
}

On successful submission, ACME server should return 200 OK reply with the ACME Challenge object. Status of the ACME Challenge must be changed to "processing":

HTTP/1.1 200 OK
Replay-Nonce: 642DE0D7551E496EADC181C6FC0D1A79
Content-Type: application/json; charset=utf-8
Content-Length: 307
{
  "status": "processing",
  "expires": null,
  "identifier": {
    "type": "TNAuthList",
    "value": "MAigBhYEODE4SA=="
  },
  "challenges": [
    {
      "type": "tkauth-01",
      "tkauth-type": "atc",
      "url": "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB/0",
      "token": "45C55E0C1F224377A2DC43915715F426",
      "status": "processing"
    }
  ]
}

ACME client should poll ACME Challenge object, until status of the challenge changes. It's also possible to monitor status by polling ACME Order object.

CSR submission

Upon challenge validation, ACME Order status must be changed to "ready". Now ACME client should submit a CSR, which will be used to create a certificate.

The CSR for Service Providers must follow these rules:

CSR must contain a TNAuthList X509v3 extension (OID 1.3.6.1.5.5.7.1.26)
Country (DN: C) must be set to "US"
Organization (DN: O) must be non-empty
Common Name (DN: CN) parameter must contain the word "SHAKEN" and OCN

CSR cannot contain CRL Distribution Points others than the official PA CRL: https://authenticate-api.iconectiv.com/download/v1/crl

If CRL Distribution Points are not included in the CSR, they will be added automatically by the ACME server.

CSR example for Service Providers:

Certificate Request:
    Data:
        Version: 3 (0x2)
        Subject: C = US, O = My Company, CN = My Company SHAKEN 818H
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e2:71:ce:0e:6c:a9:6e:77:ca:74:97:7e:23:16:
                    cc:b0:bc:0e:b4:9a:82:d1:f3:f2:b2:a2:85:bb:c7:
                    2c:b0:46:bb:93:1c:04:77:cf:5e:41:6f:94:7b:45:
                    33:7f:06:12:63:22:bf:6a:30:1f:13:da:c2:95:9f:
                    1f:5e:d8:d0:c6
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            1.3.6.1.5.5.7.1.26:
                0.....818H
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://authenticate-api.iconectiv.com/download/v1/crl
                CRL Issuer:
                  DirName:L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA

    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:de:7f:3c:b2:81:ac:ab:df:ce:fb:47:02:34:
         d2:4e:1b:da:32:cc:6f:e3:87:0f:20:ba:7a:fd:81:04:69:cb:
         1a:02:20:53:70:5a:9f:20:de:56:bc:14:ea:9d:c8:5e:1a:04:
         df:80:43:5e:25:9b:29:6d:33:a5:90:d1:ae:19:3f:8c:d8

The URL to upload CSR can be found in the "finalize" parameter of the ACME Order object.

POST https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0/finalize
Content-Type: application/jose+json
Content-Length: 1329
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "7D36B55C9F9349269AD08024868D72F0",
      "url": "https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0/finalize",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : BASE64URL(
    {
      "csr" : "MIIB5zCCAY0CAQIwQzELMAkGA1UEBhMCVVMxEzARBgNVBAoMCk15IENvbXBhbnkxHzAdBgNVBAMMFk15IENvbXBhbnkgU0hBS0VOIDgxOEgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATicc4ObKlud8p0l34jFsywvA60moLR8_KyooW7xyywRruTHAR3z15Bb5R7RTN_BhJjIr9qMB8T2sKVnx9e2NDGoIHnMIHkBgkqhkiG9w0BCQ4xgdYwgdMwDAYDVR0TAQH_BAIwADAWBggrBgEFBQcBGgQKMAigBhYEODE4SDCBqgYDVR0fBIGiMIGfMIGcoD6gPIY6aHR0cHM6Ly9hdXRoZW50aWNhdGUtYXBpLXN0Zy5pY29uZWN0aXYuY29tL2Rvd25sb2FkL3YxL2NybKJapFgwVjEUMBIGA1UEBwwLQnJpZGdld2F0ZXIxCzAJBgNVBAgMAk5KMRMwEQYDVQQDDApTVEktUEEgQ1JMMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1RJLVBBMAoGCCqGSM49BAMCA0gAMEUCIQDefzyygayr3877RwI00k4b2jLMb-OHDyC6ev2BBGnLGgIgU3BanyDeVrwU6p3IXhoE34BDXiWbKW0zpZDRrhk_jNg"
    }
  ),
  "signature" : "<base64url-encoded signature>"
}

On success, ACME server should return 200 OK with the ACME Order object. The status of the order must be changed to "processing".

HTTP/1.1 200 OK
Replay-Nonce: 756289D54E5F41A08C8D6C3A38DCB4C2
Content-Type: application/json; charset=utf-8
Content-Length: 380
{
  "status" : "processing",
  "expires" : null,
  "identifiers" : [{ "type" : "TNAuthList", "value" : "MAigBhYEODE4SA==" }],
  "notBefore" : "2022-08-08T21:48:20Z",
  "notAfter" : "2022-08-08T21:53:20Z",
  "error" : null,
  "authorizations" : [
    "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB"
  ],
  "finalize" : "https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0/finalize"
}

ACME client should poll ACME Order object until status of the order changes.

Certificate downloading

When ACME Order was successfully processed, status of the order should change to "valid", and URL to download the certificate must appear in the "certificate" parameter of the ACME Order object:

{
  "status": "valid",
  "expires": "2022-08-15T21:49:43Z",
  "identifiers": [
    {
      "type": "TNAuthList",
      "value": "MAigBhYEODE4SA=="
    }
  ],
  "notBefore": "2022-08-08T21:48:20Z",
  "notAfter": "2022-08-08T21:53:20Z",
  "error": null,
  "authorizations": [
    "https://stica.peeringhub.io/acme/authz/D55D90F2F6854D2CBB2E9C4A2E6EC4DB"
  ],
  "finalize": "https://stica.peeringhub.io/acme/order/0E22FC02933D42BC86A64425BB20D4B0/finalize",
  "certificate": "https://stica.peeringhub.io/acme/cert/2AC5775167C04A34A140033CD5DF4088"
}

To download the certificate, ACME client must send a POST request with an empty payload to the Certificate URL:

POST https://stica.peeringhub.io/acme/cert/2AC5775167C04A34A140033CD5DF4088
Content-Type: application/jose+json
Content-Length: 429
{
  "protected" : BASE64URL(
    {
      "alg": "ES256",
      "nonce": "B536FD57B6874F6AB0128D7F75AC57C8",
      "url": "https://stica.peeringhub.io/acme/cert/2AC5775167C04A34A140033CD5DF4088",
      "kid": "https://stica.peeringhub.io/acme/acct/6A1AD155B73D45448E7B832888C3EF54"
    }
  ),
  "payload" : "",
  "signature" : "<base64url-encoded signature>"
}

HTTP/1.1 200 OK
Replay-Nonce: 5E8226C64D4A46D39E177E9A48A48757
Content-Type: application/pem-certificate-chain
Content-Length: 2250
-----BEGIN CERTIFICATE-----
MIIDBTCCAqugAwIBAgIRAKE+kaZYDgRX2HxVA0XC4hQwCgYIKoZIzj0EAwIwgYAx
CzAJBgNVBAYTAlVTMRcwFQYDVQQKDA5QZWVyaW5naHViIEluYzEiMCAGA1UECwwZ
Q2VydGlmaWNhdGlvbiBBdXRob3JpdGllczE0MDIGA1UEAwwrUGVlcmluZ2h1YiBJ
bmMgU0hBS0VOIEludGVybWVkaWF0ZSBDQSBERVYgMTAeFw0yMjA4MDgyMTQ4MjBa
Fw0yMjA4MDgyMTUzMjBaMEMxCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApNeSBDb21w
YW55MR8wHQYDVQQDDBZNeSBDb21wYW55IFNIQUtFTiA4MThIMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE4nHODmypbnfKdJd+IxbMsLwOtJqC0fPysqKFu8cssEa7
kxwEd89eQW+Ue0UzfwYSYyK/ajAfE9rClZ8fXtjQxqOCAUAwggE8MA4GA1UdDwEB
/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSZPHgWeG3E41G0jPamaOCs
qzdnwzAfBgNVHSMEGDAWgBQi3nU+1F4Iav8BHOp948c5U0KXBTAXBgNVHSAEEDAO
MAwGCmCGSAGG/wkBAQEwFgYIKwYBBQUHARoECjAIoAYWBDgxOEgwgaoGA1UdHwSB
ojCBnzCBnKA+oDyGOmh0dHBzOi8vYXV0aGVudGljYXRlLWFwaS1zdGcuaWNvbmVj
dGl2LmNvbS9kb3dubG9hZC92MS9jcmyiWqRYMFYxFDASBgNVBAcMC0JyaWRnZXdh
dGVyMQswCQYDVQQIDAJOSjETMBEGA1UEAwwKU1RJLVBBIENSTDELMAkGA1UEBhMC
VVMxDzANBgNVBAoMBlNUSS1QQTAKBggqhkjOPQQDAgNIADBFAiEA0PT6Q4T+MmpJ
LoU+L72OaxbeyR4kJ8CtxcIGi0zC3SYCIF/BeD/1rlmHz9tsFi6npCMrtVJW1SQi
Dn7X5e9EsoDh
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDHzCCAsSgAwIBAgIQcuK74nt/PaLZWsRJjaJ2KTAKBggqhkjOPQQDAjB2MQsw
CQYDVQQGEwJVUzEXMBUGA1UECgwOUGVlcmluZ2h1YiBJbmMxIjAgBgNVBAsMGUNl
cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxKjAoBgNVBAMMIVBlZXJpbmdodWIgSW5j
IFNIQUtFTiBST09UIENBIERFVjAeFw0yMjA0MjUyMzQ4MjBaFw0zMjA0MjIyMzQ4
MjBaMIGAMQswCQYDVQQGEwJVUzEXMBUGA1UECgwOUGVlcmluZ2h1YiBJbmMxIjAg
BgNVBAsMGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxNDAyBgNVBAMMK1BlZXJp
bmdodWIgSW5jIFNIQUtFTiBJbnRlcm1lZGlhdGUgQ0EgREVWIDEwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAARydOBhM+X8nK9TqzW57TVn+ulVnSLWERRAlYCWQGkA
jMBsmQYI5Aw3ULim76WEzyZUJKOyCYLPcyaiqKa7It/Qo4IBJzCCASMwDgYDVR0P
AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCLedT7UXghq/wEc
6n3jxzlTQpcFMB8GA1UdIwQYMBaAFCdr86ngPMbyxZYnJzBTcRR6B5CvMBcGA1Ud
IAQQMA4wDAYKYIZIAYb/CQEBATCBpgYDVR0fBIGeMIGbMIGYoDqgOIY2aHR0cHM6
Ly9hdXRoZW50aWNhdGUtYXBpLmljb25lY3Rpdi5jb20vZG93bmxvYWQvdjEvY3Js
olqkWDBWMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkoxFDASBgNVBAcMC0JyaWRn
ZXdhdGVyMQ8wDQYDVQQKDAZTVEktUEExEzARBgNVBAMMClNUSS1QQSBDUkwwCgYI
KoZIzj0EAwIDSQAwRgIhAKuc7n7u9ukR+BnJFtNUt3y0nAsxaBjZ06CWfneMmtvp
AiEA//1yCI+VNLXLnmutrq83R3x3m8bJnobZj7A0/PM3ZQI=
-----END CERTIFICATE-----

Note, that the Certificate URL is not public, and can only be accessed with a signed POST request.

Review the certificate

The created certificate must have:

A valid lifespan (notBefore and notAfter parameters)
The requested Common Name
TNAuthList extension
CRL extension with URL of the official PA CRL
Basic Constraints extension, which identifies the type of the certificate (End-Entity or SCA)
2.16.840.1.114569.1.1.1 certificate policy

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a1:3e:91:a6:58:0e:04:57:d8:7c:55:03:45:c2:e2:14
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, O = Peeringhub Inc, OU = Certification Authorities, CN = Peeringhub Inc SHAKEN Intermediate CA
        Validity
            Not Before: Aug  8 21:48:20 2022 GMT
            Not After : Aug  8 21:53:20 2022 GMT
        Subject: C = US, O = My Company, CN = My Company SHAKEN 818H
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e2:71:ce:0e:6c:a9:6e:77:ca:74:97:7e:23:16:
                    cc:b0:bc:0e:b4:9a:82:d1:f3:f2:b2:a2:85:bb:c7:
                    2c:b0:46:bb:93:1c:04:77:cf:5e:41:6f:94:7b:45:
                    33:7f:06:12:63:22:bf:6a:30:1f:13:da:c2:95:9f:
                    1f:5e:d8:d0:c6
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                99:3C:78:16:78:6D:C4:E3:51:B4:8C:F6:A6:68:E0:AC:AB:37:67:C3
            X509v3 Authority Key Identifier:
                keyid:22:DE:75:3E:D4:5E:08:6A:FF:01:1C:EA:7D:E3:C7:39:53:42:97:05

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114569.1.1.1

            1.3.6.1.5.5.7.1.26:
                0.....818H
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://authenticate-api.iconectiv.com/download/v1/crl
                CRL Issuer:
                  DirName:L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA

    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:d0:f4:fa:43:84:fe:32:6a:49:2e:85:3e:2f:
         bd:8e:6b:16:de:c9:1e:24:27:c0:ad:c5:c2:06:8b:4c:c2:dd:
         26:02:20:5f:c1:78:3f:f5:ae:59:87:cf:db:6c:16:2e:a7:a4:
         23:2b:b5:52:56:d5:24:22:0e:7e:d7:e5:ef:44:b2:80:e1

PreviousGet ACME account status NextList active orders

Last updated 1 year ago