Re: certutil - iPaddress SubjectAltName extension
On Mon, 2014-07-14 at 23:38 +0200, Bernhard Thalmayr wrote: Is there any documentation available for '--extSAN' parameter? Mr. Google did not find any helpful resource. Look at the help output that certutil produces with the -H command: --extSAN type:name[,type:name]... Create a Subject Alt Name extension with one or multiple names - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: certutil - iPaddress SubjectAltName extension
--On July 16, 2014 17:32:22 +0200 Kai Engert k...@kuix.de wrote: On Mon, 2014-07-14 at 23:38 +0200, Bernhard Thalmayr wrote: Is there any documentation available for '--extSAN' parameter? Mr. Google did not find any helpful resource. Look at the help output that certutil produces with the -H command: --extSAN type:name[,type:name]... Create a Subject Alt Name extension with one or multiple names - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr Does this support SubjectAltName forms such as XMPP Addr (RFC 6120 sec 13.7.1.4) or service name (RFC 4985)? In particular, an other SubjectAltName generally involves at least an OID and a string. This help is a bit terse for that use... - Chris -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
certutil - iPaddress SubjectAltName extension
Hi experts, although I'm pretty sure this has been asked before I could not find any pointers in the archive. What is the reason, why certutil supports 'dNSName' GeneralNames for SubjectAltName but not 'iPAddress' (RFC 3270 secion 4.2.1.7)? Especially Directory Servers (used for 'native LDAP') often use IP instead of FQDN in the SAN extension of the server cert an it's not too nice to use 'openssl' to get this. I've seen bug 396255, which suggests there was so intention to support it. TIA, Bernhard -- Painstaking Minds IT-Consulting Bernhard Thalmayr Herxheimer Str. 5, 83620 Vagen (Munich area), Germany Tel: +49 (0)8062 7769174 Mobile: +49 (0)176 55060699 bernhard.thalm...@painstakingminds.com - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr http://de.linkedin.com/in/bernhardthalmayr This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: certutil - iPaddress SubjectAltName extension
On Mon, 2014-07-14 at 10:47 +0200, Bernhard Thalmayr wrote: What is the reason, why certutil supports 'dNSName' GeneralNames for SubjectAltName but not 'iPAddress' (RFC 3270 secion 4.2.1.7)? Do you refer to the command line parameters -7 and -8 ? I don't know why this subset was chosen in the past. However, just recently we added support for additional SAN variations (in version 3.16.2), which provides the new parameter --extSAN. Can you try it? If it doesn't work as expected, please let us know. Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: certutil - iPaddress SubjectAltName extension
Thanks a lot for the details Kai, much appreciated. Indeed I was referring to options '-7', '-8' as they are decribed at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil I was not aware of '--extSAN' as it seems to be missing from the above doc. Thanks for pointing it out. I will give it a shot. Is there any documentation available for '--extSAN' parameter? Mr. Google did not find any helpful resource. Thanks again, Bernhard Am 7/14/14 8:11 PM, schrieb Kai Engert: On Mon, 2014-07-14 at 10:47 +0200, Bernhard Thalmayr wrote: What is the reason, why certutil supports 'dNSName' GeneralNames for SubjectAltName but not 'iPAddress' (RFC 3270 secion 4.2.1.7)? Do you refer to the command line parameters -7 and -8 ? I don't know why this subset was chosen in the past. However, just recently we added support for additional SAN variations (in version 3.16.2), which provides the new parameter --extSAN. Can you try it? If it doesn't work as expected, please let us know. Kai -- Painstaking Minds IT-Consulting Bernhard Thalmayr Herxheimer Str. 5, 83620 Vagen (Munich area), Germany Tel: +49 (0)8062 7769174 Mobile: +49 (0)176 55060699 bernhard.thalm...@painstakingminds.com - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr http://de.linkedin.com/in/bernhardthalmayr This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto