I want to share my work on building a generic ECDSA pki with an 802.1AR
leaf. You can see my work at:
http://www.htt-consult.com/pki.html
I believe I have iDevID properly constructed, but I am not sure about
hwSerailNumber plus its relationship to the DN's serialNumber.
I am interested in feedback on this. I am willing to turn it into an
ID. First I have to do CRL and OCSP support.
openssl is NOT so easy to use for all this. :( Rich Salz and others
on the openssl-user list were a great help.
Bob
On 08/16/2017 12:43 PM, Kent Watsen wrote:
Hi Bob,
I'm watching this thread with interest. My take on this [1] is a little
different than yours, but I was just prototyping a rough solution, I
never took it to completion...
[1]
https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55
Kent
--
Making some progress.
On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
I have just joined this list. So if this is covered in the archives
anywhere, my weak search foo did not uncover it...
Has anyone created iDevID certs with openssl including subjectAltName
with hardwareModuleName?
I have been working on this for a few days and have worked out HOW to
even get certs to contain SAN, particularly going the csr route. I
have learned on the openssl list that HMN is not directly supported
and that you have to use othername. Something like
[ req_ext ]
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
[ hmodname ]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
This produces a subjectAltName content of:
0:d=0 hl=2 l= 27 cons: SEQUENCE
2:d=1 hl=2 l= 25 cons: cont [ 0 ]
4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4
14:d=2 hl=2 l= 13 cons: cont [ 0 ]
16:d=3 hl=2 l= 11 cons: SEQUENCE
18:d=4 hl=2 l= 3 prim: OBJECT :1.2.3.4
23:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304
I suspect that hwtype is a full vendor OID for registering this device.
Say my company, HTT Consulting makes sensor widgets. The OID for that
could be:
1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor
widget).
But I am not sure what exactly to do with hwType and hwSerialNum
Are there any extant examples?
So googling around for examples and not finding any. But then my search
foo has always been weak.
Currently there is no way to feed any SAN value in at the command like
'openssl req'. It has to go into the config file, so once I work out
WHAT to but into these fields, I will have to do some kludgly stuff to
stuff values into the config then run the command. There are examples
of this around for SANs of IP, DNS, etc.
BTW, so far I have a simple guide for making a pki of ECDSA certs
using openssl. I would be willing to share what I have done todate.
The 802.1AR cert section is understandably incomplete...
Bob
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
