Setting Issuer Alternative Name
Robert Moskowitz
rgm at htt-consult.com
Thu May 11 15:26:25 UTC 2023
In rfc5280:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
So since I want a DET as IssuerAltName (e.g.
20010030000000052aeb9adc1ce8b1ecO), it seems that iPAddress is the only
thing that works. So in the config file, I tried:
#authorityKeyIdentifier = keyid:always,issuer
authorityKeyIdentifier = "iPAddress:20010030000000052aeb9adc1ce8b1ec"
and using "openssl req" get the error:
Error checking x509 extension section v3_ca
403C7BDE967F0000:error:11000078:X509 V3
routines:v2i_AUTHORITY_KEYID:unknown
option:crypto/x509/v3_akid.c:131:name=iPAddress
403C7BDE967F0000:error:11000080:X509 V3
routines:X509V3_EXT_nconf_int:error in
extension:crypto/x509/v3_conf.c:48:section=v3_ca,
name=authorityKeyIdentifier,
value=iPAddress:20010030000000052aeb9adc1ce8b1ec
I have used iPAddress: in SAN, and thought that this would work,
obviously I am missing something....
Thanks for any pointers.
More information about the openssl-users
mailing list