Re: Examples of adding Private Enterprise Numbers (PEN's) Extensions to CSR

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2021-10-14 18:43, Philip Prindeville wrote:

Hi,

I need to generate CSR's with some Extensions included that use our PEN's as allocated by IANA.

Are there any examples of this?

Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a STACK_OF(X509_EXTENSION) but it doesn't seem to actually iterate through the stack...  Is this code even correct?  What am I missing?  Ditto for X509_REQ_add_extensions().

Thanks,

-Philip


I don't know how to do this via the API, but the source code for the
command line tools may give some good clues.  Here is how I would do it
with the command line tools:

First of all, you need to (administratively) decide how to subdivide
your private OID tree belowyour enterprise ID.  This would be a
company internal document listing how you use the OIDsand where to
put future OIDs of various kinds.  Use whatever document editing
system is usedfor other long term company documents.  Something like:

   Redfish solutions has been allocated the following OID prefix
   via the IANA "Enterprise numbers"process:

   RedfishOid = 1.3.6.1.4.1.9999999

   We subdivide this as follows:

   RedfishOid.1 = Redfish X.509 extensions
   RedfishOid.1.1 = FooBar extension, see design document RS12345
   RedfishOid.1.2 = BazQux extension, see design document RS12346
   RedfishOid.2 = Redfish SNMP extensions
   RedfishOid.2.1 = Redfish hardware-box-A SNMP extensions
   RedfishOid.3 = Redfish contributions to public standardisation efforts
   RedfishOid.4 = Redfish internal LDAP extensions used by HR

Next for the OpenSSL command line tools, you need to add the individual
X.509 relatedOIDs to the openssl.cnf file:

   In the [default] section:
   oid_section = new_oids

   In the [new_oids] section
   RedFishFooBar=1.3.6.1.4.1.9999999.1.1
   RedFishBazQux=1.3.6.1.4.1.9999999.1.2

From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux