[openssl-users] 802.1AR certificate generation and the config file
Robert Moskowitz
rgm at htt-consult.com
Fri Aug 11 14:27:55 UTC 2017
Now that I can build a generic PKI with EDDSA, the next step is to add
creation of 802.1AR iDevID certificates. I am using the current draft,
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same
(but clearer written) as sec 7, 802.1AR-2009.
I start with making the following section in my openssl.cnf file:
[ 8021AR_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man ????`).
basicConstraints = CA:FALSE
# subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
Note that clause 7.6 says:
"The Subject Key Identifier extension should not be included in DevID
certificates."
The clause goes on to state that Subject Key Identifier IS included in
CA certificates for certificate path building.
My challenge comes to subjectAltName and its subfield hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Any help greatly appreciated.
More information about the openssl-users
mailing list