Re: [Anima] creating iDevID certs with openssl
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 18 August 2017 19:29 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68BE01321B8 for <anima@ietfa.amsl.com>; Fri, 18 Aug 2017 12:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3n3rRQXnMWF for <anima@ietfa.amsl.com>; Fri, 18 Aug 2017 12:29:38 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FBF1321A6 for <anima@ietf.org>; Fri, 18 Aug 2017 12:29:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id E3F0A62244; Fri, 18 Aug 2017 15:29:36 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id X10Jbf7w6M4P; Fri, 18 Aug 2017 15:29:29 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 0EB466223F; Fri, 18 Aug 2017 15:29:28 -0400 (EDT)
To: Kent Watsen <kwatsen@juniper.net>, "anima@ietf.org" <anima@ietf.org>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com> <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com> <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <5ae589f2-5524-df9c-cd18-d621e012749f@htt-consult.com>
Date: Fri, 18 Aug 2017 15:29:26 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/MEuSjybsKpmYnHM6ytD7vhLxDKM>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 19:29:41 -0000
I want to share my work on building a generic ECDSA pki with an 802.1AR leaf. You can see my work at: http://www.htt-consult.com/pki.html I believe I have iDevID properly constructed, but I am not sure about hwSerailNumber plus its relationship to the DN's serialNumber. I am interested in feedback on this. I am willing to turn it into an ID. First I have to do CRL and OCSP support. openssl is NOT so easy to use for all this. :( Rich Salz and others on the openssl-user list were a great help. Bob On 08/16/2017 12:43 PM, Kent Watsen wrote: > Hi Bob, > > I'm watching this thread with interest. My take on this [1] is a little > different than yours, but I was just prototyping a rough solution, I > never took it to completion... > > [1] https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55 > > Kent > > -- > > Making some progress. > > > On 08/14/2017 01:44 PM, Robert Moskowitz wrote: >> I have just joined this list. So if this is covered in the archives >> anywhere, my weak search foo did not uncover it... >> >> Has anyone created iDevID certs with openssl including subjectAltName >> with hardwareModuleName? >> >> I have been working on this for a few days and have worked out HOW to >> even get certs to contain SAN, particularly going the csr route. I >> have learned on the openssl list that HMN is not directly supported >> and that you have to use othername. Something like >> >> [ req_ext ] >> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname >> >> [ hmodname ] >> hwType = OID:1.2.3.4 # Whatever OID you want. >> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex > This produces a subjectAltName content of: > > 0:d=0 hl=2 l= 27 cons: SEQUENCE > 2:d=1 hl=2 l= 25 cons: cont [ 0 ] > 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 > 14:d=2 hl=2 l= 13 cons: cont [ 0 ] > 16:d=3 hl=2 l= 11 cons: SEQUENCE > 18:d=4 hl=2 l= 3 prim: OBJECT :1.2.3.4 > 23:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 > > > I suspect that hwtype is a full vendor OID for registering this device. > Say my company, HTT Consulting makes sensor widgets. The OID for that > could be: > > 1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor > widget). > >> But I am not sure what exactly to do with hwType and hwSerialNum >> >> Are there any extant examples? > So googling around for examples and not finding any. But then my search > foo has always been weak. > >> Currently there is no way to feed any SAN value in at the command like >> 'openssl req'. It has to go into the config file, so once I work out >> WHAT to but into these fields, I will have to do some kludgly stuff to >> stuff values into the config then run the command. There are examples >> of this around for SANs of IP, DNS, etc. >> >> BTW, so far I have a simple guide for making a pki of ECDSA certs >> using openssl. I would be willing to share what I have done todate. >> The 802.1AR cert section is understandably incomplete... >> >> Bob > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima > > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima
- [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz