audk/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/TestEKUCerts/ChainCreationInstructions.txt

--------------------------------------------------------------------------------
File:           ChainCreationInstructions.txt

Description:    This folder contains INI files that are required to generate
                the following test cert chains. Certs will be copied onto the
                file system AND MY store when they are generated by certreq.exe.

Note that typically certreq.exe operates on INF files, but in this folder
we use INI files so that our build system does not complain about INF's being
in the tree, but not in the CryptoPkg.dsc file.

To create your own certificates and signatures for testing, this file demonstrates
how the test certificate chains and signatures were created.

To create test signatures, run SignFirmwareWithEKUs.cmd (with SignTool.exe in
your path).  You can then use your favorite BinaryToHex converter to convert
the binary into a byte array that you can include in unit tests.

Copyright (C) Microsoft Corporation.  All Rights Reserved.
--------------------------------------------------------------------------------
Cert Chain:

       ------------------------------------------
      |                                          | // Root of trust. ECDSA P521 curve
      |          TestEKUParsingRoot              | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
      |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
       ------------------------------------------
                         ^
                         |
       ------------------------------------------
      |                                          | // Issues subordinate CAs. ECC P384 curve.
      |       TestEKUParsingPolicyCA             | // SHA 256 Key Usage:
      |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
       ------------------------------------------
                         ^
                         |
       ------------------------------------------
      |                                          | // Issues end-entity (leaf) signers. ECC P256 curve.
      |        TestEKUParsingIssuingCA           | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
      |                                          | // Enhanced Key Usage:
       ------------------------------------------  // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
                         ^
                         |
          --------------------------------------
         /                                     /   // Leaf signer,  ECC P256 curve.
        /      TestEKUParsingLeafSigner       /    // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
       /                                     /     // Enhanced Key usages:
       --------------------------------------      // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
                                                   // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.




---------------------------------------------------------------------------------


--- files required ---

TestEKUParsingRoot.ini               - This certificate is the root CA under which all CAs live.
TestEKUParsingPolicyCA.ini           - This policy CA will issue subordinate CA's with EKU constraints.
TestEKUParsingIssuingCA.ini          - CA to issue end-entity leafs.
TestEKUParsingLeafSigner.ini         - End-Entity leaf signer.
TestEKUParsingLeafSignerPid12345.ini - End-Entity, with EKU: 1.3.6.1.4.1.311.76.9.21.1.12345.
TestEKUParsingNoEKUsInSigner.ini     - Leaf with no EKU's specified.
TestEKUParsingLeafSignerPid1.ini     - Test with naming files ini, to get around build complaints.
--- Commands to execute ---

certreq.exe -new                                    TestEKUParsingRoot.ini               TestEKUParsingRoot.cer
certreq.exe -new -q -cert "TestEKUParsingRoot"      TestEKUParsingPolicyCA.ini           TestEKUParsingPolicyCA.cer
certreq.exe -new -q -cert "TestEKUParsingPolicyCA"  TestEKUParsingIssuingCA.ini          TestEKUParsingIssuingCA.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSigner.ini         TestEKUParsingLeafSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid12345.ini TestEKUParsingLeafSignerPid12345.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingNoEKUsInSigner.ini     TestEKUParsingNoEKUsInSigner.cer
certreq.exe -new -q -cert "TestEKUParsingIssuingCA" TestEKUParsingLeafSignerPid1.ini     TestEKUParsingLeafSignerPid1.cer

---------------------------------------------------------------------------------

Then start mmc->Add certificates, Local Computer/open Personal/Certs and export the keys into the pfx files below.
Note:  You should see a little key on the top left of each cert icon, which means you have the private key
       for this cert.  If you don't see it something is wrong.  For each cert, right-click and do all tasks,
       export.  Yes, Export the private key.  PCKS#12 format, include all certs in path if possible.

       If we automated the call to certreq above, there is a PowerShell "PKI" cmdlet which has
       an Export-PfxCertificate command.

Passwords:  TestEKUParsingRoot.pfx               == TestEKUParsingRoot
            TestEKUParsingPolicyCA.pfx           == TestEKUParsingPolicyCA
            TestEKUParsingIssuingCA.pfx          == TestEKUParsingIssuingCA
            TestEKUParsingLeafSigner.pfx         == TestEKUParsingLeafSigner
            TestEKUParsingLeafSignerPid12345.pfx == TestEKUParsingLeafSignerPid12345
            TestEKUParsingNoEKUsInSigner.pfx     == TestEKUParsingNoEKUsInSigner