Re: [Anima] creating iDevID certs with openssl
Kent Watsen <kwatsen@juniper.net> Wed, 16 August 2017 16:43 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF0AE132351 for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 09:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDtG47aDqjfA for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 09:43:17 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0092.outbound.protection.outlook.com [104.47.40.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A85132332 for <anima@ietf.org>; Wed, 16 Aug 2017 09:43:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VXYnNaP+aVrJFUjTqhVVNLcJ42kdXJqxZMMoXhHW+AQ=; b=M6uDh+WbKMViK8Ry64vCDT/pWhYB8gvyti440AbPUs9cEEEEnFLq38PGnbr8YGFlWEvj6LNCuOBfuhgqY4pv4ze1wdRiEKByOaElOrAQ/7u85tprD0PrEriKhK0tBeOSOxsQAq9TEqe0in9t0jUpinNaa4ImAgsQIyYg2q+vHss=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1348.namprd05.prod.outlook.com (10.160.183.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1362.12; Wed, 16 Aug 2017 16:43:15 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1362.018; Wed, 16 Aug 2017 16:43:15 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] creating iDevID certs with openssl
Thread-Index: AQHTFSUlAUd6DuxmKkeSAjMNgXmwoaKENaWAgAK6hYA=
Date: Wed, 16 Aug 2017 16:43:15 +0000
Message-ID: <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com> <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com>
In-Reply-To: <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1348; 6:R98VWNEkrKriQ2COWlGJga4aJvISfYIZ0HvOgl4ZF2DuiSwP+97WROi/oBXY2SVSGlLUTElz4E/TJXqCRQMNjgegsDR0l0GLHtIBlQhnp8gxbSQtRsTeXJi2+u+4i1KuQXSvbb1lL1GLMxyFnjIZc0CDxnm9sa3zTt87ueeZF+16Rk5ZiM8LEXkcG9guRy1tKZVGqqseNarFPhtl+bnCfb+57haNMMPGRC+TSjbQruXWTVfvfAu7Rto9SilwsNJk4bwOJwx1z1ZRCZVxkmRCxDawpieyZUbOCd+g03ueQihuSJD8WNBdXcKVAgWP8joXmEosfJXKptJ1HjPFr2G7Gw==; 5:GvmO0tQ5pf6mrXS0kUgBqdzXgebWTne4ZROH/GoS3jEmuwNSjNx8hC1Ks+Z5MPGf7sPzx+ZC9RS2j0k9ahMsIJww78W23X748QcWZB4xXBM4zAcYPMp4uxdjjr6O8z23b+pk9F7kN8jRGdsj/pRFkw==; 24:cHJZELHYeBMGoESG6qKLhhlTfXdN9O1PsPTdHMVTGLwisab4UtkqsGx9moOvUlltLL9WthFndliYhppm5h1P6FCwmi006MHdwQIBWJHmgPs=; 7:czE6D4Vqu6wo45HxeXtZLsFGmrXGqFK8l7Xa1roHRwgyq9TPVa7oc9+x6d478/lGZrFOr/27DQ3eMwmhwZg+AtTeR8fESq2gOtk5t/E4zec0ZPuAuBRzCHq96K7aR89jHTaWkO0pYZA29DuTSkVvAqpDfTzqVr8iyS4OG0HufAF4CvQGsJquhW4DaUI+Vv9HU6a3esgy9/Tq+IoN0MVUtS0a3eZOjQeZScZAfdPz9Io=
x-ms-office365-filtering-correlation-id: ac5372a1-761a-4d24-e328-08d4e4c5e439
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1348;
x-ms-traffictypediagnostic: BN3PR0501MB1348:
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-microsoft-antispam-prvs: <BN3PR0501MB134899CFB22344F8E9CE71C0A5820@BN3PR0501MB1348.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1348; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1348;
x-forefront-prvs: 0401647B7F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(189002)(377454003)(24454002)(199003)(189998001)(33656002)(36756003)(97736004)(478600001)(7736002)(68736007)(4001350100001)(305945005)(25786009)(82746002)(2906002)(6246003)(2501003)(53546010)(86362001)(83716003)(6116002)(83506001)(102836003)(3846002)(6436002)(2950100002)(101416001)(53936002)(50986999)(6512007)(6506006)(966005)(54356999)(76176999)(2900100001)(3280700002)(106356001)(6486002)(5660300001)(6306002)(66066001)(14454004)(99286003)(229853002)(81156014)(3660700001)(8936002)(81166006)(77096006)(105586002)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1348; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <3BACA63EB05C2E45BA263DC26932170F@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2017 16:43:15.3365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1348
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/IThknvgnTVCiKblPUYZru4rRstY>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 16:43:20 -0000
Hi Bob, I'm watching this thread with interest. My take on this [1] is a little different than yours, but I was just prototyping a rough solution, I never took it to completion... [1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55 Kent -- Making some progress. On 08/14/2017 01:44 PM, Robert Moskowitz wrote: > I have just joined this list. So if this is covered in the archives > anywhere, my weak search foo did not uncover it... > > Has anyone created iDevID certs with openssl including subjectAltName > with hardwareModuleName? > > I have been working on this for a few days and have worked out HOW to > even get certs to contain SAN, particularly going the csr route. I > have learned on the openssl list that HMN is not directly supported > and that you have to use othername. Something like > > [ req_ext ] > subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname > > [ hmodname ] > hwType = OID:1.2.3.4 # Whatever OID you want. > hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex This produces a subjectAltName content of: 0:d=0 hl=2 l= 27 cons: SEQUENCE 2:d=1 hl=2 l= 25 cons: cont [ 0 ] 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 14:d=2 hl=2 l= 13 cons: cont [ 0 ] 16:d=3 hl=2 l= 11 cons: SEQUENCE 18:d=4 hl=2 l= 3 prim: OBJECT :1.2.3.4 23:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 I suspect that hwtype is a full vendor OID for registering this device. Say my company, HTT Consulting makes sensor widgets. The OID for that could be: 1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor widget). > But I am not sure what exactly to do with hwType and hwSerialNum > > Are there any extant examples? So googling around for examples and not finding any. But then my search foo has always been weak. > > Currently there is no way to feed any SAN value in at the command like > 'openssl req'. It has to go into the config file, so once I work out > WHAT to but into these fields, I will have to do some kludgly stuff to > stuff values into the config then run the command. There are examples > of this around for SANs of IP, DNS, etc. > > BTW, so far I have a simple guide for making a pki of ECDSA certs > using openssl. I would be willing to share what I have done todate. > The 802.1AR cert section is understandably incomplete... > > Bob _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
- [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz