[openssl-users] 802.1AR certificate generation and the config file
openssl-users at dukhovni.org
Fri Aug 11 16:47:46 UTC 2017
On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:
> In the certificate extensions section you do something like:
> subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on. The "pki.tgz"
> > And further it seems you are saying there is no support for HMN at all.
>From the x509v3_config manpage:
If an extension is not supported by the OpenSSL code then it must be
encoded using the arbitrary extension format. It is also possible to
use the arbitrary format for supported extensions. Extreme care should
be taken to ensure that the data is formatted correctly for the given
There are two ways to encode arbitrary extensions.
The first way is to use the word ASN1 followed by the extension content
using the same syntax as ASN1_generate_nconf(3). For example:
220.127.116.11=critical,ASN1:UTF8String:Some random data
field1 = UTF8:field1
field2 = UTF8:field2
It is also possible to use the word DER to include the raw encoded data
in any extension.
The value following DER is a hex dump of the DER encoding of the
extension Any extension can be placed in this form to override the
default behaviour. For example:
More information about the openssl-users