On 5/11/23 12:33, Viktor Dukhovni wrote:
On Thu, May 11, 2023 at 11:26:25AM -0400, Robert Moskowitz wrote:
In rfc5280:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
So since I want a DET as IssuerAltName (e.g.
20010030000000052aeb9adc1ce8b1ecO), it seems that iPAddress is the only
thing that works. So in the config file, I tried:
No, you would use "otherName", which is a combination of an OID and
corresponding data. You would register (if there isn't one already) a
suitable OID for DET-values, and choose a suitable DET encoding to go
with that OID.
I was told that the name in openSSL is IP, not as 5280 uses, iPAddress.
But that did not work either.
It would seem that some generalName is supported here, but how to code
it in the conf file?
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer
authorityKeyIdentifier = "IP:20010030000000052aeb9adc1ce8b1ec"
Error checking x509 extension section v3_ca
408C864BD77F0000:error:11000078:X509 V3
routines:v2i_AUTHORITY_KEYID:unknown
option:crypto/x509/v3_akid.c:131:name=IP
408C864BD77F0000:error:11000080:X509 V3
routines:X509V3_EXT_nconf_int:error in
extension:crypto/x509/v3_conf.c:48:section=v3_ca,
name=authorityKeyIdentifier, value=IP:20010030000000052aeb9adc1ce8b1ec
