On Thu, May 11, 2023 at 03:48:52PM -0400, Robert Moskowitz wrote:
> > No, you would use "otherName", which is a combination of an OID and
> > corresponding data. You would register (if there isn't one already) a
> > suitable OID for DET-values, and choose a suitable DET encoding to go
> > with that OID.
>
> I was told that the name in openSSL is IP, not as 5280 uses, iPAddress.
If these DET certificates are really IP address certificates (i.e.
authenticate a node at the specified address, as e.g. for establishing
IPSEC connections, or HTTPS connections to IP-address valued origin
URLs, ...), then sure, you could overload the IP address SAN. But I
suspect that's not the case...
> It would seem that some generalName is supported here, but how to code
> it in the conf file?
There are example SANs in x509v3_config(5), the last of which is
"otherName":
otherName can include arbitrary data associated with an OID: the value
should be the OID followed by a semicolon and the content in standard
ASN1_generate_nconf(3) format.
Examples:
subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
subjectAltName=IP:192.168.7.1
subjectAltName=IP:13::17
subjectAltName=email:my@other.address,RID:1.2.3.4
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
So see also ASN1_generate_nconf(3).
--
Viktor.
