Setting Issuer Alternative Name
Robert Moskowitz
rgm at htt-consult.com
Thu May 11 19:48:52 UTC 2023
On 5/11/23 12:33, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 11:26:25AM -0400, Robert Moskowitz wrote:
>
>> In rfc5280:
>>
>> IssuerAltName ::= GeneralNames
>>
>> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
>>
>> GeneralName ::= CHOICE {
>> otherName [0] OtherName,
>> rfc822Name [1] IA5String,
>> dNSName [2] IA5String,
>> x400Address [3] ORAddress,
>> directoryName [4] Name,
>> ediPartyName [5] EDIPartyName,
>> uniformResourceIdentifier [6] IA5String,
>> iPAddress [7] OCTET STRING,
>> registeredID [8] OBJECT IDENTIFIER }
>>
>> So since I want a DET as IssuerAltName (e.g.
>> 20010030000000052aeb9adc1ce8b1ecO), it seems that iPAddress is the only
>> thing that works. So in the config file, I tried:
> No, you would use "otherName", which is a combination of an OID and
> corresponding data. You would register (if there isn't one already) a
> suitable OID for DET-values, and choose a suitable DET encoding to go
> with that OID.
>
I was told that the name in openSSL is IP, not as 5280 uses, iPAddress.
But that did not work either.
It would seem that some generalName is supported here, but how to code
it in the conf file?
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer
authorityKeyIdentifier = "IP:20010030000000052aeb9adc1ce8b1ec"
Error checking x509 extension section v3_ca
408C864BD77F0000:error:11000078:X509 V3
routines:v2i_AUTHORITY_KEYID:unknown
option:crypto/x509/v3_akid.c:131:name=IP
408C864BD77F0000:error:11000080:X509 V3
routines:X509V3_EXT_nconf_int:error in
extension:crypto/x509/v3_conf.c:48:section=v3_ca,
name=authorityKeyIdentifier, value=IP:20010030000000052aeb9adc1ce8b1ec
More information about the openssl-users
mailing list