[openssl-users] 802.1AR certificate generation and the config file
rgm at htt-consult.com
Mon Aug 14 04:02:49 UTC 2017
I am getting a SAN in the csr e.g.:
X509v3 Subject Alternative Name:
this is with the following in the config:
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
req_extensions = req_ext
[ req_ext ]
subjectAltName = IP:192.168.2.1
But I am not getting SAN in the cert. Perhaps I need something for SAN
in the -extensions section? Right now I only have:
[ 8021ar_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
On 08/12/2017 10:28 AM, Michael Ströder wrote:
> Robert Moskowitz wrote:
>> On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
>>> On Fri, Aug 11, 2017, Robert Moskowitz wrote:
>>>> I would want the 'openssl req' command to prompt for hwType and
>>>> hsSerialNum. At least for now.
>>> Note that you can't get the 'openssl req' command prompt for this but you can
>>> generate the extension in an appropriate syntax: see my other message for
>>> You could prompt externally and pass the values as environment variables to
>>> openssl req of constuct the whole config file on the fly.
>> Making some headway. Figured out you cannot have an alternative [ req ] section in the
>> config; no way to specify it. Thus a completely separate config_8021AR to specify a
>> different distinguishedname set of fields. Got that, now to get started on SAN. Will
>> read your previous message.
> Maybe you should look at the following CLI options for "openssl req":
> -subj arg set or modify request subject
> -extensions .. specify certificate extension section (override value in config file)
> -reqexts .. specify request extension section (override value in config file)
> Ciao, Michael.
More information about the openssl-users