Drupal / Bitcoin BIP 70 / PKI certificates

Posted November 3, 2014 by Jonathan Brown ‐ 4 min read

Retrieved from the Wayback Machine.

BIP 70 provides a mechanism so that a customer can be sure that they are sending a Bitcoin payment to the correct place. Before BIP 70, the customer would simply be presented with a Bitcoin address to send the amount to. This address could potentially be tampered with so the funds get sent to someone else. It is also not very user-friendly to be sending money to a random collection of letters and numbers.

Now public key infrastructure (PKI) is used to present the customer with cryptographic proof that they are making the correct payment. The payment information that the Bitcoin wallet receives is supplied with a certificate and is digitally signed. The wallet can then present a "human-readable, secure payment destination" to the customer, i.e. the name of the company or a verified email address.

This functionality is now implemented in Coin Tools.

To start using it you need to obtain a certificate. The easiest way to do this is to create a free account at StartSSL. Once they have verified that you own your email address they will put a certificate to this effect into your web browser.

You need to extract this certificate (and private key). Here is how to do it using Firefox, but other browsers are similar. First you need to view your certificates.

Then backup the certificate for your email address provided by StartCom Ltd.

Make sure you save the file with .p12 extension, i.e. jbrown@bluedroplet.com.p12 - P12 is an "archive file format for storing cryptographic objects like private keys and certificates." You will be prompted for a password to encrypt this file.

Next you need to extract your certificate and public key from this file like so:

openssl pkcs12 -in jbrown@bluedroplet.com.p12 -clcerts -nokeys -out publicCert.pem
openssl pkcs12 -in jbrown@bluedroplet.com.p12 -nocerts -out privateKey.pem

Each of these commands will require you to enter the password you encrypted the P12 file with. When extracting the private key you must provide a passphrase it should be encrypted with.

Next you need to add the certificate to your payment type (or create a new one). With the latest version of Coin Tools 8.x-1.x there are additional fields on the payment type form for this. Paste the contents of publicCert.pem into the "Certificate" field.

And paste the contents of privateKey.pem into the "Private key" field. Select "Private key is encrypted" and enter the passphrase you encrypted it with.

When making a payment, the customer's wallet will now display the certificate's Common Name. In this case it is a verified email address.