Setting Issuer Alternative Name
Robert Moskowitz
rgm at htt-consult.com
Thu May 11 19:06:30 UTC 2023
On 5/11/23 12:33, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 11:26:25AM -0400, Robert Moskowitz wrote:
>
>> In rfc5280:
>>
>> IssuerAltName ::= GeneralNames
>>
>> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>>
>> GeneralName ::= CHOICE {
>> otherName [0] OtherName,
>> rfc822Name [1] IA5String,
>> dNSName [2] IA5String,
>> x400Address [3] ORAddress,
>> directoryName [4] Name,
>> ediPartyName [5] EDIPartyName,
>> uniformResourceIdentifier [6] IA5String,
>> iPAddress [7] OCTET STRING,
>> registeredID [8] OBJECT IDENTIFIER }
>>
>> So since I want a DET as IssuerAltName (e.g.
>> 20010030000000052aeb9adc1ce8b1ecO), it seems that iPAddress is the only
>> thing that works. So in the config file, I tried:
> No, you would use "otherName", which is a combination of an OID and
> corresponding data. You would register (if there isn't one already) a
> suitable OID for DET-values, and choose a suitable DET encoding to go
> with that OID.
ARGH!!! :)
I am struggling with OIDs right now. For now, I am using my IANA
Enterprise OID, 1.3.6.1.4.1.6715.2.6 for CERT RR with Private OID as
there is no OID to use. I am asking ICAO to use theirs, and hope to get
1.3.27.9 to work off of. But that can take lots of time to work through.
But I don't see otherName in the list above? How would I code
otherName. btw for my work with 802.1AR certs that need a SN in
subjectAltName I have used otherName.
And that has seemed to work for SAN, but what to do for IAN?
More information about the openssl-users
mailing list