[openssl-users] 802.1AR certificate generation and the config file

Viktor Dukhovni openssl-users at dukhovni.org
Fri Aug 11 16:47:46 UTC 2017


On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:

> In the certificate extensions section you do something like:
> 	subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on.  The "pki.tgz"
> 
> > And further it seems you are saying there is no support for HMN at all.
> 
> Right.

>From the x509v3_config manpage:

    ARBITRARY EXTENSIONS
       If an extension is not supported by the OpenSSL code then it must be
       encoded using the arbitrary extension format. It is also possible to
       use the arbitrary format for supported extensions. Extreme care should
       be taken to ensure that the data is formatted correctly for the given
       extension type.

       There are two ways to encode arbitrary extensions.

       The first way is to use the word ASN1 followed by the extension content
       using the same syntax as ASN1_generate_nconf(3).  For example:

        1.2.3.4=critical,ASN1:UTF8String:Some random data

        1.2.3.4=ASN1:SEQUENCE:seq_sect

        [seq_sect]

        field1 = UTF8:field1
        field2 = UTF8:field2

       It is also possible to use the word DER to include the raw encoded data
       in any extension.

        1.2.3.4=critical,DER:01:02:03:04
        1.2.3.4=DER:01020304

       The value following DER is a hex dump of the DER encoding of the
       extension Any extension can be placed in this form to override the
       default behaviour.  For example:

        basicConstraints=critical,DER:00:01:02:03

-- 
	Viktor.


More information about the openssl-users mailing list