The repository contains a solution to create X.509 certificates according to Avviso SPID n.29 v3.
NOTE: Python native implementation available at https://github.com/italia/spid-compliant-certificates-python
NOTE: The solution is provided "AS-IS" and does not represent an official implementation from Agenzia per l'Italia Digitale
-
Create and edit the
docker.env
file according to your needs (see Configuration parameters)$ cp public.env.example docker.env $ editor docker.env
-
Run the script
gencert-with-docker.sh
$ chmod +x gencert-with-docker.sh $ ./gencert-with-docker.sh
-
Enjoy with your new private key (
key.pem
) and self-signed certificate (crt.pem
)$ ls ./generated-certs/ crt.pem csr.pem key.pem
NOTE: This generates also a certificate signing request (
csr.pem
) that can be submitted to AgID in order to obtain a signed certificate.
-
Run the following commands to configure the environment according to your needs (see Configuration parameters)
$ cat > myenv.sh <<EOF export COMMON_NAME="Comune di Roma" export DAYS="3650" export ENTITY_ID="https://spid.comune.roma.it/metadata" export KEY_LEN="3072" export LOCALITY_NAME="Roma" export MD_ALG="sha512" export ORGANIZATION_IDENTIFIER="PA:IT-c_h501" export ORGANIZATION_NAME="Comune di Roma" EOF $ chmod +x myenv.sh && source myenv.sh
-
Generate the private key (
key.pem
), the self-signed certificate (crt.pem
) and the certificate signing request (csr.pem
) with the following command$ chmod +x gencert-public.sh $ ./gencert-public.sh
The output produced by the script (see the ASN.1 dumps) allows to check if the specifications were honoured.
-
Generate the private key (
key.pem
), the self-signed certificate (crt.pem
) and the certificate signing request (csr.pem
) with the following command$ chmod +x gencert-public.sh $ ./gencert-public.sh -i
-
Create and edit the
docker.env
file according to your needs (see Configuration parameters)$ cp private.env.example docker.env $ editor docker.env
-
Run the script
gencert-with-docker.sh
$ chmod +x gencert-with-docker.sh $ ./gencert-with-docker.sh
-
Enjoy with your new private key (
key.pem
) and CSR (csr.pem
)$ ls ./generated-certs/ csr.pem key.pem
-
Run the following commands to configure the environment according to your needs
$ cat > myenv.sh <<EOF export COMMON_NAME="Comune di Roma" export ENTITY_ID="https://spid.comune.roma.it/metadata" export KEY_LEN="3072" export LOCALITY_NAME="Roma" export MD_ALG="sha256" export ORGANIZATION_IDENTIFIER="VATIT-02438750586" export ORGANIZATION_NAME="Comune di Roma" EOF $ chmod +x myenv.sh && source myenv.sh
-
Generate the private key (
key.pem
) and the certificate signing request (csr.pem
) with the following command$ chmod +x gencert-private.sh $ ./gencert-private.sh
The following steps can be followed to verify the compliancy of certificates generated with the tools in this repository and certificates generated/obtained from third parties.
Run the script validate-crt-with-docker.sh
$ chmod +x validate-crt-with-docker.sh
$ ./validate-crt-with-docker.sh
By default, it will validate the certificate at
generated-certs/crt.pem
Such a default path can be modified by setting the CERT_FILE
envvar
$ chmod +x validate-crt-with-docker.sh
$ CERT_FILE=/absolute/path/to/your/crt.pem ./validate-crt-with-docker.sh
NOTE: The first script execution could take some time, because the Docker image needs to be built. Following execution will be immediate.
Install the required Python packages
$ cd validator
$ pip install -r requirements.txt
Run the Python tests suite
$ ./validator.py
By default, it will validate the certificate at
./crt.pem
Such a default path can be modified by setting the CERT_FILE
envvar
$ CERT_FILE=/path/to/your/crt.pem ./validator.py
This section documents the configuration parameters that can be set as environment variable.
-
COMMON_NAME
: short name of the service provider (example:AgID
, default:""
) -
ENTITY_ID
: value of theentityID
attribute in<EntityDescriptor>
element (example:https://spid.agid.gov.it
, default:""
) -
KEY_LEN
: length of the private key (allowd values:[2048, 3072, 4096]
, default:2048
) -
LOCALITY_NAME
: extended name of the locality (example:Roma
, default:""
) -
MD_ALG
: digest algorithm to be used (allowed values:[sha256, sha512],
default:sha256
) -
ORGANIZATION_NAME
: extended name of the service provider (example:Agenzia per l'Italia Digitale
, default:""
)
-
DAYS
: validity of the self-signed certificate (example:3650
, default:730
) -
ORGANIZATION_IDENTIFIER
: service provider identifier in the form ofPA:IT-<IPA Code>
(example:PA:IT-c_h501
, default:""
)
ORGANIZATION_IDENTIFIER
: service provider identifier in the form ofVATIT-<partita iva>
orCF:IT-<codice fiscale>
(example:VATIT-12345678901
, default:""
)