On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:
> In the certificate extensions section you do something like:
> subjectAltName = dns:www.example.com, IP:127.0.0.1
> and so on. The "pki.tgz"
>
> > And further it seems you are saying there is no support for HMN at all.
>
> Right.
>From the x509v3_config manpage:
ARBITRARY EXTENSIONS
If an extension is not supported by the OpenSSL code then it must be
encoded using the arbitrary extension format. It is also possible to
use the arbitrary format for supported extensions. Extreme care should
be taken to ensure that the data is formatted correctly for the given
extension type.
There are two ways to encode arbitrary extensions.
The first way is to use the word ASN1 followed by the extension content
using the same syntax as ASN1_generate_nconf(3). For example:
1.2.3.4=critical,ASN1:UTF8String:Some random data
1.2.3.4=ASN1:SEQUENCE:seq_sect
[seq_sect]
field1 = UTF8:field1
field2 = UTF8:field2
It is also possible to use the word DER to include the raw encoded data
in any extension.
1.2.3.4=critical,DER:01:02:03:04
1.2.3.4=DER:01020304
The value following DER is a hex dump of the DER encoding of the
extension Any extension can be placed in this form to override the
default behaviour. For example:
basicConstraints=critical,DER:00:01:02:03
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
