I have updated my guide for building a little ECDSA pki, including
iDevID certs. You can see it at:
www.htt-consult.com/pki
PEM works. DER does not work. I have been finding problems with
openssl command line support for DER. Which brings up a question for
this list:
What format do you expect to see for:
draft-ietf-anima-bootstrapping-keyinfra
PEM or DER?
PEM supports cert chains, DER does not.
DER is nice and small for small devices. A PEM non-password P-256
private key object is 241 bytes. DER is 121 bytes (DER does not support
encrypting the private key object). This is a real cost of secure
storage for some devices.
What format are the various bootstrap objects (eg vouchers)? Has anyone
built any of these for PoC?
On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
I have just joined this list. So if this is covered in the archives
anywhere, my weak search foo did not uncover it...
Has anyone created iDevID certs with openssl including subjectAltName
with hardwareModuleName?
I have been working on this for a few days and have worked out HOW to
even get certs to contain SAN, particularly going the csr route. I
have learned on the openssl list that HMN is not directly supported
and that you have to use othername. Something like
[ req_ext ]
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname
[ hmodname ]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
But I am not sure what exactly to do with hwType and hwSerialNum
Are there any extant examples?
Currently there is no way to feed any SAN value in at the command like
'openssl req'. It has to go into the config file, so once I work out
WHAT to but into these fields, I will have to do some kludgly stuff to
stuff values into the config then run the command. There are examples
of this around for SANs of IP, DNS, etc.
BTW, so far I have a simple guide for making a pki of ECDSA certs
using openssl. I would be willing to share what I have done todate.
The 802.1AR cert section is understandably incomplete...
Bob
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
