[openssl-users] 802.1AR certificate generation and the config file
Dr. Stephen Henson
steve at openssl.org
Fri Aug 11 18:39:11 UTC 2017
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
> Frustrated...
>
> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
> >>My challenge comes to subjectAltName and its subfield
> >>hardwareModuleName
> >>per RFC 4108. I guess I am not 'getting' the subjectAltName section of
> >>'man x509v3_config'.
> >Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following:
> ># define GEN_OTHERNAME 0
> ># define GEN_EMAIL 1
> ># define GEN_DNS 2
> ># define GEN_X400 3
> ># define GEN_DIRNAME 4
> ># define GEN_EDIPARTY 5
> ># define GEN_URI 6
> ># define GEN_IPADD 7
> ># define GEN_RID 8
>
> I just spent over an hour googling around as well as reading openssl
> docs to get a list of distinguished_name fields. Both in their full
> form and abbreviated form. All I fined are the common ones in
> examples.
>
> And for the list above for SAN, how are they presented in the
> openssl cli/config. Again, just not finding it.
>
> My search foo is weak.
>
> pointers greatly appreciated.
>
You can use the mini-ASN.1 compiler with the otherName syntax. This will
create the extension in the appropriate form but you wont get it displayed.
In outline it's like this:
----
# Use id-on-hardwareModuleName OID with otherName
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
[hmodname]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
----
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list