Hi Bob, I'm watching this thread with interest. My take on this [1] is a little different than yours, but I was just prototyping a rough solution, I never took it to completion...
[1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55 Kent -- Making some progress. On 08/14/2017 01:44 PM, Robert Moskowitz wrote: > I have just joined this list. So if this is covered in the archives > anywhere, my weak search foo did not uncover it... > > Has anyone created iDevID certs with openssl including subjectAltName > with hardwareModuleName? > > I have been working on this for a few days and have worked out HOW to > even get certs to contain SAN, particularly going the csr route. I > have learned on the openssl list that HMN is not directly supported > and that you have to use othername. Something like > > [ req_ext ] > subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname > > [ hmodname ] > hwType = OID:1.2.3.4 # Whatever OID you want. > hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex This produces a subjectAltName content of: 0:d=0 hl=2 l= 27 cons: SEQUENCE 2:d=1 hl=2 l= 25 cons: cont [ 0 ] 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 14:d=2 hl=2 l= 13 cons: cont [ 0 ] 16:d=3 hl=2 l= 11 cons: SEQUENCE 18:d=4 hl=2 l= 3 prim: OBJECT :1.2.3.4 23:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 I suspect that hwtype is a full vendor OID for registering this device. Say my company, HTT Consulting makes sensor widgets. The OID for that could be: 1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor widget). > But I am not sure what exactly to do with hwType and hwSerialNum > > Are there any extant examples? So googling around for examples and not finding any. But then my search foo has always been weak. > > Currently there is no way to feed any SAN value in at the command like > 'openssl req'. It has to go into the config file, so once I work out > WHAT to but into these fields, I will have to do some kludgly stuff to > stuff values into the config then run the command. There are examples > of this around for SANs of IP, DNS, etc. > > BTW, so far I have a simple guide for making a pki of ECDSA certs > using openssl. I would be willing to share what I have done todate. > The 802.1AR cert section is understandably incomplete... > > Bob _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
