Setting Issuer Alternative Name

Robert Moskowitz rgm at htt-consult.com
Sun May 14 16:44:48 UTC 2023 

maybe progress?

On 5/12/23 21:58, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 03:48:52PM -0400, Robert Moskowitz wrote:
>
>>> No, you would use "otherName", which is a combination of an OID and
>>> corresponding data.  You would register (if there isn't one already) a
>>> suitable OID for DET-values, and choose a suitable DET encoding to go
>>> with that OID.
>> I was told that the name in openSSL is IP, not as 5280 uses, iPAddress.
> If these DET certificates are really IP address certificates (i.e.
> authenticate a node at the specified address, as e.g. for establishing
> IPSEC connections, or HTTPS connections to IP-address valued origin
> URLs, ...), then sure, you could overload the IP address SAN.  But I
> suspect that's not the case...
>
>> It would seem that some generalName is supported here, but how to code
>> it in the conf file?
> There are example SANs in x509v3_config(5), the last of which is
> "otherName":
>
>     otherName can include arbitrary data associated with an OID: the value
>     should be the OID followed by a semicolon and the content in standard
>     ASN1_generate_nconf(3) format.
>
>     Examples:
>
>      subjectAltName=email:copy,email:my at other.address,URI:http://my.url.here/
>      subjectAltName=IP:192.168.7.1
>      subjectAltName=IP:13::17
>      subjectAltName=email:my at other.address,RID:1.2.3.4
>      subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
>
> So see also ASN1_generate_nconf(3).
>
I looked at that manpage and tried:

authorityKeyIdentifier = 
otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec

1.3.27 is ICAO.  16 is "security".  1 is used for the ICAO IATF PKI.  So 
I am working on them giving me 1.3.27.16.2...

The error this throws is:

401C5CEDA27F0000:error:11000080:X509 V3 
routines:X509V3_EXT_nconf_int:error in 
extension:crypto/x509/v3_conf.c:48:section=v3_ca, 
name=authorityKeyIdentifier, 
value=otherName:1.3.27.16.2.1.1;BITSTR:0x20010030000000052aeb9adc1ce8b1ec

So I don't have that conf for authorityKeyIdentifier right.  yet.

SEQ did not work either

408C8FF6C27F0000:error:11000080:X509 V3 
routines:X509V3_EXT_nconf_int:error in 
extension:crypto/x509/v3_conf.c:48:section=v3_ca, 
name=authorityKeyIdentifier, 
value=otherName:1.3.27.16.2.1.1;SEQ:20010030000000052aeb9adc1ce8b1ec

What is the proper format?

thanks.

More information about the openssl-users mailing list