Now that I can build a generic PKI with EDDSA, the next step is to add
creation of 802.1AR iDevID certificates. I am using the current draft,
sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same
(but clearer written) as sec 7, 802.1AR-2009.
I start with making the following section in my openssl.cnf file:
[ 8021AR_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man ????`).
basicConstraints = CA:FALSE
# subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
Note that clause 7.6 says:
"The Subject Key Identifier extension should not be included in DevID
certificates."
The clause goes on to state that Subject Key Identifier IS included in
CA certificates for certificate path building.
My challenge comes to subjectAltName and its subfield hardwareModuleName
per RFC 4108. I guess I am not 'getting' the subjectAltName section of
'man x509v3_config'.
Any help greatly appreciated.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
