Re: [Anima] creating iDevID certs with openssl

Kent Watsen <> Wed, 16 August 2017 16:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BF0AE132351 for <>; Wed, 16 Aug 2017 09:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RDtG47aDqjfA for <>; Wed, 16 Aug 2017 09:43:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 19A85132332 for <>; Wed, 16 Aug 2017 09:43:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VXYnNaP+aVrJFUjTqhVVNLcJ42kdXJqxZMMoXhHW+AQ=; b=M6uDh+WbKMViK8Ry64vCDT/pWhYB8gvyti440AbPUs9cEEEEnFLq38PGnbr8YGFlWEvj6LNCuOBfuhgqY4pv4ze1wdRiEKByOaElOrAQ/7u85tprD0PrEriKhK0tBeOSOxsQAq9TEqe0in9t0jUpinNaa4ImAgsQIyYg2q+vHss=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1362.12; Wed, 16 Aug 2017 16:43:15 +0000
Received: from ([]) by ([]) with mapi id 15.01.1362.018; Wed, 16 Aug 2017 16:43:15 +0000
From: Kent Watsen <>
To: Robert Moskowitz <>, "" <>
Thread-Topic: [Anima] creating iDevID certs with openssl
Thread-Index: AQHTFSUlAUd6DuxmKkeSAjMNgXmwoaKENaWAgAK6hYA=
Date: Wed, 16 Aug 2017 16:43:15 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1348; 6:R98VWNEkrKriQ2COWlGJga4aJvISfYIZ0HvOgl4ZF2DuiSwP+97WROi/oBXY2SVSGlLUTElz4E/TJXqCRQMNjgegsDR0l0GLHtIBlQhnp8gxbSQtRsTeXJi2+u+4i1KuQXSvbb1lL1GLMxyFnjIZc0CDxnm9sa3zTt87ueeZF+16Rk5ZiM8LEXkcG9guRy1tKZVGqqseNarFPhtl+bnCfb+57haNMMPGRC+TSjbQruXWTVfvfAu7Rto9SilwsNJk4bwOJwx1z1ZRCZVxkmRCxDawpieyZUbOCd+g03ueQihuSJD8WNBdXcKVAgWP8joXmEosfJXKptJ1HjPFr2G7Gw==; 5:GvmO0tQ5pf6mrXS0kUgBqdzXgebWTne4ZROH/GoS3jEmuwNSjNx8hC1Ks+Z5MPGf7sPzx+ZC9RS2j0k9ahMsIJww78W23X748QcWZB4xXBM4zAcYPMp4uxdjjr6O8z23b+pk9F7kN8jRGdsj/pRFkw==; 24:cHJZELHYeBMGoESG6qKLhhlTfXdN9O1PsPTdHMVTGLwisab4UtkqsGx9moOvUlltLL9WthFndliYhppm5h1P6FCwmi006MHdwQIBWJHmgPs=; 7:czE6D4Vqu6wo45HxeXtZLsFGmrXGqFK8l7Xa1roHRwgyq9TPVa7oc9+x6d478/lGZrFOr/27DQ3eMwmhwZg+AtTeR8fESq2gOtk5t/E4zec0ZPuAuBRzCHq96K7aR89jHTaWkO0pYZA29DuTSkVvAqpDfTzqVr8iyS4OG0HufAF4CvQGsJquhW4DaUI+Vv9HU6a3esgy9/Tq+IoN0MVUtS0a3eZOjQeZScZAfdPz9Io=
x-ms-office365-filtering-correlation-id: ac5372a1-761a-4d24-e328-08d4e4c5e439
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1348;
x-ms-traffictypediagnostic: BN3PR0501MB1348:
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1348; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1348;
x-forefront-prvs: 0401647B7F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(189002)(377454003)(24454002)(199003)(189998001)(33656002)(36756003)(97736004)(478600001)(7736002)(68736007)(4001350100001)(305945005)(25786009)(82746002)(2906002)(6246003)(2501003)(53546010)(86362001)(83716003)(6116002)(83506001)(102836003)(3846002)(6436002)(2950100002)(101416001)(53936002)(50986999)(6512007)(6506006)(966005)(54356999)(76176999)(2900100001)(3280700002)(106356001)(6486002)(5660300001)(6306002)(66066001)(14454004)(99286003)(229853002)(81156014)(3660700001)(8936002)(81166006)(77096006)(105586002)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1348;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2017 16:43:15.3365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1348
Archived-At: <>
Subject: Re: [Anima] creating iDevID certs with openssl
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Aug 2017 16:43:20 -0000

Hi Bob,

I'm watching this thread with interest.  My take on this [1] is a little
different than yours, but I was just prototyping a rough solution, I
never took it to completion...




Making some progress.

On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
> I have just joined this list.  So if this is covered in the archives 
> anywhere, my weak search foo did not uncover it...
> Has anyone created iDevID certs with openssl including subjectAltName 
> with hardwareModuleName?
> I have been working on this for a few days and have worked out HOW to 
> even get certs to contain SAN, particularly going the csr route. I 
> have learned on the openssl list that HMN is not directly supported 
> and that you have to use othername.  Something like
> [ req_ext ]
> subjectAltName = otherName:;SEQ:hmodname
> [ hmodname ]
> hwType = OID: # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex

This produces a subjectAltName content of:

     0:d=0  hl=2 l=  27 cons: SEQUENCE
     2:d=1  hl=2 l=  25 cons:  cont [ 0 ]
     4:d=2  hl=2 l=   8 prim:   OBJECT            :
    14:d=2  hl=2 l=  13 cons:   cont [ 0 ]
    16:d=3  hl=2 l=  11 cons:    SEQUENCE
    18:d=4  hl=2 l=   3 prim:     OBJECT            :
    23:d=4  hl=2 l=   4 prim:     OCTET STRING      [HEX DUMP]:01020304

I suspect that hwtype is a full vendor OID for registering this device.  
Say my company, HTT Consulting makes sensor widgets.  The OID for that 
could be: (where 10 is HTT's devices and 1 is the sensor 

> But I am not sure what exactly to do with hwType and hwSerialNum
> Are there any extant examples?

So googling around for examples and not finding any.  But then my search 
foo has always been weak.

> Currently there is no way to feed any SAN value in at the command like 
> 'openssl req'.  It has to go into the config file, so once I work out 
> WHAT to but into these fields, I will have to do some kludgly stuff to 
> stuff values into the config then run the command. There are examples 
> of this around for SANs of IP, DNS, etc.
> BTW, so far I have a simple guide for making a pki of ECDSA certs 
> using openssl.  I would be willing to share what I have done todate.  
> The 802.1AR cert section is understandably incomplete...
> Bob

Anima mailing list