Re: [Anima] creating iDevID certs with openssl

Robert Moskowitz <> Wed, 23 August 2017 12:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF04D132964 for <>; Wed, 23 Aug 2017 05:28:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q2myG9Si5_Ec for <>; Wed, 23 Aug 2017 05:28:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8455B132992 for <>; Wed, 23 Aug 2017 05:28:41 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 747FB615E4 for <>; Wed, 23 Aug 2017 08:28:40 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id 54za8PQp-3kB for <>; Wed, 23 Aug 2017 08:28:35 -0400 (EDT)
Received: from (unknown []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id C09E36210C for <>; Wed, 23 Aug 2017 08:28:34 -0400 (EDT)
From: Robert Moskowitz <>
References: <>
Message-ID: <>
Date: Wed, 23 Aug 2017 08:28:17 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Anima] creating iDevID certs with openssl
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Aug 2017 12:28:45 -0000

I have updated my guide for building a little ECDSA pki, including 
iDevID certs.  You can see it at:

PEM works.  DER does not work.  I have been finding problems with 
openssl command line support for DER.  Which brings up a question for 
this list:

What format do you expect to see for: 


PEM supports cert chains, DER does not.
DER is nice and small for small devices.  A PEM non-password P-256 
private key object is 241 bytes.  DER is 121 bytes (DER does not support 
encrypting the private key object).  This is a real cost of secure 
storage for some devices.

What format are the various bootstrap objects (eg vouchers)?  Has anyone 
built any of these for PoC?

On 08/14/2017 01:44 PM, Robert Moskowitz wrote:
> I have just joined this list.  So if this is covered in the archives 
> anywhere, my weak search foo did not uncover it...
> Has anyone created iDevID certs with openssl including subjectAltName 
> with hardwareModuleName?
> I have been working on this for a few days and have worked out HOW to 
> even get certs to contain SAN, particularly going the csr route. I 
> have learned on the openssl list that HMN is not directly supported 
> and that you have to use othername.  Something like
> [ req_ext ]
> subjectAltName = otherName:;SEQ:hmodname
> [ hmodname ]
> hwType = OID: # Whatever OID you want.
> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex
> But I am not sure what exactly to do with hwType and hwSerialNum
> Are there any extant examples?
> Currently there is no way to feed any SAN value in at the command like 
> 'openssl req'.  It has to go into the config file, so once I work out 
> WHAT to but into these fields, I will have to do some kludgly stuff to 
> stuff values into the config then run the command. There are examples 
> of this around for SANs of IP, DNS, etc.
> BTW, so far I have a simple guide for making a pki of ECDSA certs 
> using openssl.  I would be willing to share what I have done todate.  
> The 802.1AR cert section is understandably incomplete...
> Bob
> _______________________________________________
> Anima mailing list