Re: [Anima] creating iDevID certs with openssl

Wed, 23 Aug 2017 20:23:33 -0700 

Robert Moskowitz <[email protected]> wrote:
    > I have just joined this list.  So if this is covered in the archives
    > anywhere, my weak search foo did not uncover it...

    > Has anyone created iDevID certs with openssl including subjectAltName with
    > hardwareModuleName?

Not exactly, I was also adding my own PEN OID with the Serial Number.
    # the OID: 1.3.6.1.4.1.46930.1 is a Private Enterprise Number OID:
    #    iso.org.dod.internet.private.enterprise . SANDELMAN=46930 . 1
    # subjectAltName=otherName:1.2.3.4;UTF8:some other identifier

I added:

    > [ req_ext ]
    > subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

My ruby code looks like:

    # include the official HardwareModule OID:  1.3.6.1.5.5.7.8.4
    @idevid.add_extension(ef.create_extension(
                                   "subjectAltName",
                                   
sprintf("otherName:1.3.6.1.5.5.7.8.4;UTF8:%s",
                                   self.sanitized_eui64),
                                    false))

see: https://github.com/mcr/highway/blob/master/app/models/device.rb#L43

I include what I think is an IDevID for a device with EUI-48 12-00-00-66-4D-02.
I'm not 100% sure that's a valid hwSerialNumber, which is why I had used my own
OID :-)

https://github.com/mcr/fountain/tree/master/spec/certs has the public key
that signed the cert attached (and the cert as well)

The thing I found impossible to do programmatically was to create the
Registrar CA cert with the cmcRA bit set.  I had to resort to configuration
files like yours, see: https://github.com/mcr/fountain/blob/master/trialra.sh


-----BEGIN CERTIFICATE-----
MIICLTCCAbOgAwIBAgIBATAKBggqhkjOPQQDAjBNMRIwEAYKCZImiZPyLGQBGRYC
Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5n
IEhpZ2h3YXkgQ0EwIBcNMTcwODI0MDI1MDI5WhgPMjk5OTEyMzEwMDAwMDBaMEsx
EjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkWCXNhbmRlbG1hbjEa
MBgGA1UEAwwRMTItMDAtMDAtNjYtNEQtMDIwVjAQBgcqhkjOPQIBBgUrgQQACgNC
AASfhqT+9Zz3Zy2nKwIm1dm+rDZZJ7d+JuCzAu7B3VN2RZvwESyku+0rmNYfNkCB
D9NejMCMEOuUAmvOgYirUj3Bo4GGMIGDMB0GA1UdDgQWBBSyfPSc8Zj02BLgEy9x
sm9DApe7QzAJBgNVHRMEAjAAMCsGA1UdEQQkMCKgIAYJKwYBBAGC7lIBoBMMETEy
LTAwLTAwLTY2LTRELTAyMCoGA1UdEQQjMCGgHwYIKwYBBQUHCASgEwwRMTItMDAt
MDAtNjYtNEQtMDIwCgYIKoZIzj0EAwIDaAAwZQIwa2ZnBc85oOLibxoQSaV8g9aw
uP8alLY8UNq+ysfgl1Iw2JeAsabxSBz/9nK7WgvUAjEA3dBLrp0RRuZfUTtkMCSG
5kbwg6A+R8yPAxGT7WVZeSlN2Xz9DX6FfPzRHv5QtOHz
-----END CERTIFICATE-----


--
Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima

Reply via email to