Re: 802.1AR certificate generation and the config file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am getting a SAN in the csr e.g.:

        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:192.168.2.1

this is with the following in the config:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
req_extensions = req_ext

....

[ req_ext ]
subjectAltName = IP:192.168.2.1

But I am not getting SAN in the cert. Perhaps I need something for SAN in the -extensions section? Right now I only have:

[ 8021ar_idevid ]
# Extensions for IEEE 802.1AR iDevID certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment

????


On 08/12/2017 10:28 AM, Michael Ströder wrote:
Robert Moskowitz wrote:
On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote:
On Fri, Aug 11, 2017, Robert Moskowitz wrote:

I would want the 'openssl req' command to prompt for hwType and
hsSerialNum.  At least for now.

Note that you can't get the 'openssl req' command prompt for this but you can
generate the extension in an appropriate syntax: see my other message for
details.

You could prompt externally and pass the values as environment variables to
openssl req of constuct the whole config file on the fly.
Sigh.

Making some headway.  Figured out you cannot have an alternative [ req ] section in the
config; no way to specify it.  Thus a completely separate config_8021AR to specify a
different distinguishedname set of fields.  Got that, now to get started on SAN.  Will
read your previous message.
Maybe you should look at the following CLI options for "openssl req":

  -subj arg      set or modify request subject
[..]
  -extensions .. specify certificate extension section (override value in config file)
  -reqexts ..    specify request extension section (override value in config file)

Ciao, Michael.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux