[openssl-users] 802.1AR certificate generation and the config file
Dr. Stephen Henson
steve at openssl.org
Fri Aug 11 18:39:11 UTC 2017
On Fri, Aug 11, 2017, Robert Moskowitz wrote:
> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
> >>My challenge comes to subjectAltName and its subfield
> >>per RFC 4108. I guess I am not 'getting' the subjectAltName section of
> >>'man x509v3_config'.
> >Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following:
> ># define GEN_OTHERNAME 0
> ># define GEN_EMAIL 1
> ># define GEN_DNS 2
> ># define GEN_X400 3
> ># define GEN_DIRNAME 4
> ># define GEN_EDIPARTY 5
> ># define GEN_URI 6
> ># define GEN_IPADD 7
> ># define GEN_RID 8
> I just spent over an hour googling around as well as reading openssl
> docs to get a list of distinguished_name fields. Both in their full
> form and abbreviated form. All I fined are the common ones in
> And for the list above for SAN, how are they presented in the
> openssl cli/config. Again, just not finding it.
> My search foo is weak.
> pointers greatly appreciated.
You can use the mini-ASN.1 compiler with the otherName syntax. This will
create the extension in the appropriate form but you wont get it displayed.
In outline it's like this:
# Use id-on-hardwareModuleName OID with otherName
subjectAltName = otherName:220.127.116.11.18.104.22.168.4;SEQ:hmodname
hwType = OID:22.214.171.124 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users