extract-client-id #
extract-client-id is acra-keys subcommand used for generating ClientID from TLS certificate.
Command line flags #
General flags #
-
--tls_cert=<path>(deprecated since 0.96.0) 🔴Path to TLS certificate to use as client_id identifier. Use
--tls_client_id_certinstead. -
--tls_client_id_cert=<path>Path to TLS certificate to use as ClientID identifier. Works only when passed empty ClientID:
--client_id="". Should be used instead of--tls_cert. -
--tls_identifier_extractor_type={distinguished_name|serial_number}Decide which field of TLS certificate to use as ClientID.
distinguished_name— certificate Distinguished Name (DN)serial_number— certificate serial number
-
--print_jsonUse machine-readable JSON output.
🔴 - flags required to be specified.
Usage example #
extract-client-id subcommand could be used to generate ClientID to reference some keys generated by export
subcommand of acra-keys via tls_cert flag and empty client_id.
Suppose you have a certificate that application will send to AcraServer/AcraTranslator during TLS handshake:
$ openssl x509 -noout -text -in /path/to/certificate/application.crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:ea:07:47:5c:85:ec:55:49:b3:44:42:18:08:5e:a7:6a:30:1d:4d
### skipped irrelevant part ###
Subject: C = GB, ST = London, L = London, O = Global Security, OU = IT, CN = Test leaf certificate
### skipped irrelevant part ###
and you want AcraServer/AcraTranslator to use specific encryption keys to process this application requests. For this you will need to transform the certificate serial number or Distinguished Name using the same algorithm AcraServer/AcraTranslator will use.
Here’s how to use distinguished_name (which uses subject from the certificate):
$ acra-keys extract-client-id \
--tls_cert=/path/to/certificate/application.crt.pem \
--tls_identifier_extractor_type=distinguished_name
12824c1c541a615f428a740770291374a8504f84a0682ab4015bc8e792b1bc8240022c5c9faa8c2111e0076b3b929148f4b801414413edaa800cb42492c20cf7
And here’s how to use serial_number (which, obviously, uses serial number of given certificate):
$ acra-keys extract-client-id \
--tls_cert=/path/to/certificate/application.crt.pem \
--tls_identifier_extractor_type=serial_number
02b2a4a407659c58477d5c274fbca3d7b7e4802ad61159174e8d1c04345c4635876e26eef3ceb2d8041a821f11eafe38177d432db25377ac6e15c27d8936a1a3
extract-client-id will not only use the specified field(s), but will also perform SHA512 hashing of it to make sure
all generated Client IDs are the same, acceptable length.
Here’s how you can get the same result manually:
# take serial number of the example certificate from above,
# remove anything except hex digits,
# transform it into raw bytes (kind of reverse hexdump),
# and finally hash it with sha512
$ echo -n 07:ea:07:47:5c:85:ec:55:49:b3:44:42:18:08:5e:a7:6a:30:1d:4d \
| tr -d ':' \
| xxd -ps -r \
| sha512sum
02b2a4a407659c58477d5c274fbca3d7b7e4802ad61159174e8d1c04345c4635876e26eef3ceb2d8041a821f11eafe38177d432db25377ac6e15c27d8936a1a3
Additionally, you can specify --print_json to get output in machine-readable JSON format.
$ acra-keys extract-client-id \
--tls_cert=/path/to/certificate/application.crt.pem \
--print_json
{"client_id":"12824c1c541a615f428a740770291374a8504f84a0682ab4015bc8e792b1bc8240022c5c9faa8c2111e0076b3b929148f4b801414413edaa800cb42492c20cf7"}
The future steps would be like these:
- Generate keys (
acra-keys generateoracra-keymaker) for your application, for the--client_idoption use ClientID provided byextract-client-id - Tell AcraServer/AcraTranslator to use the same
--tls_identifier_extractor_typeas you used during ClientID extraction - Make application use that same certificates you extracted ClientID from
AcraServer/AcraTranslator will automagically use proper encryption keys to process this application requests. Of course, you can have as many ClientID/certificate pairs as you like.
