Re: [openssl-users] 802.1AR certificate generation and the config file
On 08/14/2017 07:16 AM, Michael Ströder wrote: Robert Moskowitz wrote: I am getting a SAN in the csr e.g.: Attributes: Requested Extensions: X509v3 Subject Alternative Name: IP Address:192.168.2.1 [..] But I am not getting SAN in the cert. Perhaps I need something for SAN in the -extensions section? Right now I only have: Are you using "openssl ca" for signing the cert? Yes, I am. If yes, you could add the line copy_extensions = copy to your CA config section. http://cmrg.fifthhorseman.net/wiki/SubjectAltName https://wiki.openssl.org/index.php/Manual:Ca%281%29#CONFIGURATION_FILE_OPTIONS Ciao, Michael. Thanks. That works. Now that I can get a SAN into the certs I need to research using othername and what a hardwaremodulename OID looks like and make it happen. Got to google some and ask around more. Again thanks for helping me get this far. Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Robert Moskowitz wrote: > I am getting a SAN in the csr e.g.: > > Attributes: > Requested Extensions: > X509v3 Subject Alternative Name: > IP Address:192.168.2.1 > [..] > But I am not getting SAN in the cert. Perhaps I need something for SAN in the > -extensions section? Right now I only have: Are you using "openssl ca" for signing the cert? If yes, you could add the line copy_extensions = copy to your CA config section. http://cmrg.fifthhorseman.net/wiki/SubjectAltName https://wiki.openssl.org/index.php/Manual:Ca%281%29#CONFIGURATION_FILE_OPTIONS Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
I am getting a SAN in the csr e.g.: Attributes: Requested Extensions: X509v3 Subject Alternative Name: IP Address:192.168.2.1 this is with the following in the config: [ req ] # Options for the `req` tool (`man req`). default_bits= 2048 distinguished_name = req_distinguished_name string_mask = utf8only req_extensions = req_ext [ req_ext ] subjectAltName = IP:192.168.2.1 But I am not getting SAN in the cert. Perhaps I need something for SAN in the -extensions section? Right now I only have: [ 8021ar_idevid ] # Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`). basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment On 08/12/2017 10:28 AM, Michael Ströder wrote: Robert Moskowitz wrote: On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. Note that you can't get the 'openssl req' command prompt for this but you can generate the extension in an appropriate syntax: see my other message for details. You could prompt externally and pass the values as environment variables to openssl req of constuct the whole config file on the fly. Sigh. Making some headway. Figured out you cannot have an alternative [ req ] section in the config; no way to specify it. Thus a completely separate config_8021AR to specify a different distinguishedname set of fields. Got that, now to get started on SAN. Will read your previous message. Maybe you should look at the following CLI options for "openssl req": -subj arg set or modify request subject [..] -extensions .. specify certificate extension section (override value in config file) -reqexts ..specify request extension section (override value in config file) Ciao, Michael. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Robert Moskowitz wrote: > On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: >> On Fri, Aug 11, 2017, Robert Moskowitz wrote: >> >>> I would want the 'openssl req' command to prompt for hwType and >>> hsSerialNum. At least for now. >>> >> Note that you can't get the 'openssl req' command prompt for this but you can >> generate the extension in an appropriate syntax: see my other message for >> details. >> >> You could prompt externally and pass the values as environment variables to >> openssl req of constuct the whole config file on the fly. > > Sigh. > > Making some headway. Figured out you cannot have an alternative [ req ] > section in the > config; no way to specify it. Thus a completely separate config_8021AR to > specify a > different distinguishedname set of fields. Got that, now to get started on > SAN. Will > read your previous message. Maybe you should look at the following CLI options for "openssl req": -subj arg set or modify request subject [..] -extensions .. specify certificate extension section (override value in config file) -reqexts ..specify request extension section (override value in config file) Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following: # define GEN_OTHERNAME 0 # define GEN_EMAIL 1 # define GEN_DNS 2 # define GEN_X4003 # define GEN_DIRNAME 4 # define GEN_EDIPARTY5 # define GEN_URI 6 # define GEN_IPADD 7 # define GEN_RID 8 I just spent over an hour googling around as well as reading openssl docs to get a list of distinguished_name fields. Both in their full form and abbreviated form. All I fined are the common ones in examples. And for the list above for SAN, how are they presented in the openssl cli/config. Again, just not finding it. My search foo is weak. pointers greatly appreciated. You can use the mini-ASN.1 compiler with the otherName syntax. This will create the extension in the appropriate form but you wont get it displayed. In outline it's like this: # Use id-on-hardwareModuleName OID with otherName subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname Is that suppose to be a semi-colon before SEQ? Or a typo? [hmodname] hwType = OID:1.2.3.4 # Whatever OID you want. hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. Note that you can't get the 'openssl req' command prompt for this but you can generate the extension in an appropriate syntax: see my other message for details. You could prompt externally and pass the values as environment variables to openssl req of constuct the whole config file on the fly. Sigh. Making some headway. Figured out you cannot have an alternative [ req ] section in the config; no way to specify it. Thus a completely separate config_8021AR to specify a different distinguishedname set of fields. Got that, now to get started on SAN. Will read your previous message. thanks -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On Fri, Aug 11, 2017, Robert Moskowitz wrote: > > I would want the 'openssl req' command to prompt for hwType and > hsSerialNum. At least for now. > Note that you can't get the 'openssl req' command prompt for this but you can generate the extension in an appropriate syntax: see my other message for details. You could prompt externally and pass the values as environment variables to openssl req of constuct the whole config file on the fly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On Fri, Aug 11, 2017, Robert Moskowitz wrote: > Frustrated... > > On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: > >>My challenge comes to subjectAltName and its subfield > >>hardwareModuleName > >>per RFC 4108. I guess I am not 'getting' the subjectAltName section of > >>'man x509v3_config'. > >Not all forms of SAN names are supported. If you look in > >include/openssl/x509v3.h you see the following: > ># define GEN_OTHERNAME 0 > ># define GEN_EMAIL 1 > ># define GEN_DNS 2 > ># define GEN_X4003 > ># define GEN_DIRNAME 4 > ># define GEN_EDIPARTY5 > ># define GEN_URI 6 > ># define GEN_IPADD 7 > ># define GEN_RID 8 > > I just spent over an hour googling around as well as reading openssl > docs to get a list of distinguished_name fields. Both in their full > form and abbreviated form. All I fined are the common ones in > examples. > > And for the list above for SAN, how are they presented in the > openssl cli/config. Again, just not finding it. > > My search foo is weak. > > pointers greatly appreciated. > You can use the mini-ASN.1 compiler with the otherName syntax. This will create the extension in the appropriate form but you wont get it displayed. In outline it's like this: # Use id-on-hardwareModuleName OID with otherName subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname [hmodname] hwType = OID:1.2.3.4 # Whatever OID you want. hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following: # define GEN_OTHERNAME 0 # define GEN_EMAIL 1 # define GEN_DNS 2 # define GEN_X4003 # define GEN_DIRNAME 4 # define GEN_EDIPARTY5 # define GEN_URI 6 # define GEN_IPADD 7 # define GEN_RID 8 I just spent over an hour googling around as well as reading openssl docs to get a list of distinguished_name fields. Both in their full form and abbreviated form. All I fined are the common ones in examples. And for the list above for SAN, how are they presented in the openssl cli/config. Again, just not finding it. My search foo is weak. pointers greatly appreciated. Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Why thank you, Viktor. Let's see if I can get this right from RFC4108 On 08/11/2017 12:47 PM, Viktor Dukhovni wrote: On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote: In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and so on. The "pki.tgz" And further it seems you are saying there is no support for HMN at all. Right. >From the x509v3_config manpage: ARBITRARY EXTENSIONS If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. There are two ways to encode arbitrary extensions. The first way is to use the word ASN1 followed by the extension content using the same syntax as ASN1_generate_nconf(3). For example: 1.2.3.4=critical,ASN1:UTF8String:Some random data 1.2.3.4=ASN1:SEQUENCE:seq_sect [seq_sect] field1 = UTF8:field1 field2 = UTF8:field2 It is also possible to use the word DER to include the raw encoded data in any extension. 1.2.3.4=critical,DER:01:02:03:04 1.2.3.4=DER:01020304 The value following DER is a hex dump of the DER encoding of the extension Any extension can be placed in this form to override the default behaviour. For example: basicConstraints=critical,DER:00:01:02:03 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) on(8) 4 } HardwareModuleName ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialNum OCTET STRING } The fields of the HardwareModuleName type have the following meanings: hwType is an object identifier that identifies the type of hardware module. A unique object identifier names a hardware model and revision. hwSerialNum is the serial number of the hardware module. No particular structure is imposed on the serial number; it need not be an integer. However, the combination of the hwType and hwSerialNum uniquely identifies the hardware module. In my [ 8021ar_idevid ] section I would have a line: 1.3.6.1.5.5.7.8.4=ASN1:SEQUENCE:HardwareModuleName then have: [ HardwareModuleName ] hwType= ?? hwSerialNum= ?? I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote: > In the certificate extensions section you do something like: > subjectAltName = dns:www.example.com, IP:127.0.0.1 > and so on. The "pki.tgz" > > > And further it seems you are saying there is no support for HMN at all. > > Right. >From the x509v3_config manpage: ARBITRARY EXTENSIONS If an extension is not supported by the OpenSSL code then it must be encoded using the arbitrary extension format. It is also possible to use the arbitrary format for supported extensions. Extreme care should be taken to ensure that the data is formatted correctly for the given extension type. There are two ways to encode arbitrary extensions. The first way is to use the word ASN1 followed by the extension content using the same syntax as ASN1_generate_nconf(3). For example: 1.2.3.4=critical,ASN1:UTF8String:Some random data 1.2.3.4=ASN1:SEQUENCE:seq_sect [seq_sect] field1 = UTF8:field1 field2 = UTF8:field2 It is also possible to use the word DER to include the raw encoded data in any extension. 1.2.3.4=critical,DER:01:02:03:04 1.2.3.4=DER:01020304 The value following DER is a hex dump of the DER encoding of the extension Any extension can be placed in this form to override the default behaviour. For example: basicConstraints=critical,DER:00:01:02:03 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Sigh. Well let's see want I can get done on this by the next IEEE802/IETF week pair. On 08/11/2017 11:56 AM, Salz, Rich wrote: What is the procedure to get it added. RFC 4108 has been around for a while, as has 802.1AR-2009. Simplest way is to (get someone to) write the code and make a github pull requests. Next way is to post a patch. Next way is to open an issue and hope someone gets around to it. Though I am assuming from a prior comment that even if it were added today, it would not be available until the 1.1.1 release? Right. But someone could always backport the changes to their own 1.1.0 release. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
> What is the procedure to get it added. RFC 4108 has been around for a while, > as has 802.1AR-2009. Simplest way is to (get someone to) write the code and make a github pull requests. Next way is to post a patch. Next way is to open an issue and hope someone gets around to it. > Though I am assuming from a prior comment that even if it were added > today, it would not be available until the 1.1.1 release? Right. But someone could always backport the changes to their own 1.1.0 release. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
On 08/11/2017 11:29 AM, Salz, Rich wrote: Given these supported names, what goes into the config file to create a SAN without having to specify it on the command line? In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and so on. The "pki.tgz" OK. I am beginning to get this. Will set some things up and test. And further it seems you are saying there is no support for HMN at all. Right. What is the procedure to get it added. RFC 4108 has been around for a while, as has 802.1AR-2009. Though I am assuming from a prior comment that even if it were added today, it would not be available until the 1.1.1 release? thanks Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
> Given these supported names, what goes into the config file to create a SAN > without having to specify it on the command line? In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and so on. The "pki.tgz" > And further it seems you are saying there is no support for HMN at all. Right. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
Thanks for the response, Rich. On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following: # define GEN_OTHERNAME 0 # define GEN_EMAIL 1 # define GEN_DNS 2 # define GEN_X4003 # define GEN_DIRNAME 4 # define GEN_EDIPARTY5 # define GEN_URI 6 # define GEN_IPADD 7 # define GEN_RID 8 crypto/x509v3/v3_alt.c you can find details and corner-case information. A couple things. As we have discussed directly, I am not a coder; haven't coded since working with 'B' on Honeywells in the mid-80s. So looking at 'C' code is a bit of a struggle. That said, Given these supported names, what goes into the config file to create a SAN without having to specify it on the command line? And further it seems you are saying there is no support for HMN at all. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 802.1AR certificate generation and the config file
> My challenge comes to subjectAltName and its subfield > hardwareModuleName > per RFC 4108. I guess I am not 'getting' the subjectAltName section of > 'man x509v3_config'. Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following: # define GEN_OTHERNAME 0 # define GEN_EMAIL 1 # define GEN_DNS 2 # define GEN_X4003 # define GEN_DIRNAME 4 # define GEN_EDIPARTY5 # define GEN_URI 6 # define GEN_IPADD 7 # define GEN_RID 8 crypto/x509v3/v3_alt.c you can find details and corner-case information. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users