[openssl-users] 802.1AR certificate generation and the config file
Robert Moskowitz
rgm at htt-consult.com
Fri Aug 11 18:58:42 UTC 2017
On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote:
> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>
>> Frustrated...
>>
>> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
>>>> My challenge comes to subjectAltName and its subfield
>>>> hardwareModuleName
>>>> per RFC 4108. I guess I am not 'getting' the subjectAltName section of
>>>> 'man x509v3_config'.
>>> Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following:
>>> # define GEN_OTHERNAME 0
>>> # define GEN_EMAIL 1
>>> # define GEN_DNS 2
>>> # define GEN_X400 3
>>> # define GEN_DIRNAME 4
>>> # define GEN_EDIPARTY 5
>>> # define GEN_URI 6
>>> # define GEN_IPADD 7
>>> # define GEN_RID 8
>> I just spent over an hour googling around as well as reading openssl
>> docs to get a list of distinguished_name fields. Both in their full
>> form and abbreviated form. All I fined are the common ones in
>> examples.
>>
>> And for the list above for SAN, how are they presented in the
>> openssl cli/config. Again, just not finding it.
>>
>> My search foo is weak.
>>
>> pointers greatly appreciated.
>>
> You can use the mini-ASN.1 compiler with the otherName syntax. This will
> create the extension in the appropriate form but you wont get it displayed.
>
> In outline it's like this:
>
> ----
> # Use id-on-hardwareModuleName OID with otherName
> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
Is that suppose to be a semi-colon before SEQ? Or a typo?
>
> [hmodname]
> hwType = OID:1.2.3.4 # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
> ----
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list