X509Builder v1.6, March 2022 http://sectools.free.fr/EN This software is intended for programmers, testers, administrators, teachers, demonstrators or final users who want to generate X509 certificates with private use in mind (email protection, tests servers, ...) Obviously, it doesn't replace a trusted, well established certification autority, and full PKI architecture. Particularly, it can generate certificates (deliberately or not), which are 'cryptographicaly' valid, but don't follow expected conventions. It may not be desired in the real word, but is practical for testing. Main assumption : If an authority certification's private key is available, certificates are signed with this key. Otherwise, certificates are self-signed. Only a private key corresponding to the public key of the authority certificate (version 3) can be loaded. Supported file formats : PEM, PKCS8, DER, PKCS12 Fields : Serial Number : Input an hexadecimal string value or click on 'Generate'. Be sure not to enter twice the same value for the same certificate/issuer pair. Subject Alternative Name(s) (SAN) : To add a 'directory name', click the corresponding button, otherwise, select the type of SAN, enter the corresponding data and click '+'. reminder : values for fields other than DN can only be encoded with ASCII characters (IA5String). The signature digest choice is enabled when appropriate and when a signing key is available. (not needed for PureEDSA) Passphrase (for loading or saving keys) : If the key to be loaded isn't protected, or if you do not wish to protect a private key (not recommended), click on 'OK' button without entering a passphrase. ('Cancel' button ends the loading or writing of the key.) General Use : CA = Certification Authority A) Generate a CA certificate (self-signed) : 1) verify that no previous key for an authority has been loaded, or click on 'Unload' 2) input desired values in 'Subject', 'Alt. Names' et 'Usage' tabs 3) generate or load a private key for the certificate 4) if the key has been generated, click on 'Save Key' 5) click on 'Save Certificate' B) Generate a final user or intermediate CA certificate : 1) load a trusted CA certificate (click on 'Load Cert' in the 'CA key' group) 2) if the CA certificate is still valid, load the matching private key, 3) then proceed to A)2) C) Generate a certificate request : just like in A), but click on 'Save Request' D) Generate a final user or intermediate CA certificate from a certifcate request : proceed like in B), but click on 'Load Request' and complete or update fields . 'Save Request' and 'Save Certificate' buttons are available only when a certificate's private key is loaded or generated.