[openssl-users] 802.1AR certificate generation and the config file

Robert Moskowitz rgm at htt-consult.com
Fri Aug 11 14:27:55 UTC 2017

Now that I can build a generic PKI with EDDSA, the next step is to add 
creation of 802.1AR iDevID certificates.  I am using the current draft, 
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same 
(but clearer written) as sec 7, 802.1AR-2009.

I start with making the following section in my openssl.cnf file:

[ 8021AR_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man ????`).
basicConstraints = CA:FALSE
# subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment

Note that clause 7.6 says:

"The Subject Key Identifier extension should not be included in DevID 

The clause goes on to state that Subject Key Identifier IS included in 
CA certificates for certificate path building.

My challenge comes to subjectAltName and its subfield hardwareModuleName 
per RFC 4108.   I guess I am not 'getting' the subjectAltName section of 
'man x509v3_config'.

Any help greatly appreciated.

More information about the openssl-users mailing list