[Anima] creating iDevID certs with openssl
Robert Moskowitz <rgm-sec@htt-consult.com> Mon, 14 August 2017 17:45 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB3DF1323C0 for <anima@ietfa.amsl.com>; Mon, 14 Aug 2017 10:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lkrc91Vbgl5W for <anima@ietfa.amsl.com>; Mon, 14 Aug 2017 10:45:33 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B914E1323B6 for <anima@ietf.org>; Mon, 14 Aug 2017 10:45:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id CF52362177 for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:32 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id V4PFyQUav9rf for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:26 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id C6D6062174 for <anima@ietf.org>; Mon, 14 Aug 2017 13:45:25 -0400 (EDT)
To: anima@ietf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com>
Date: Mon, 14 Aug 2017 13:44:42 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/k5UCPqBgHw78ea5mxW7hwMWQLUs>
Subject: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 17:45:37 -0000
I have just joined this list. So if this is covered in the archives anywhere, my weak search foo did not uncover it... Has anyone created iDevID certs with openssl including subjectAltName with hardwareModuleName? I have been working on this for a few days and have worked out HOW to even get certs to contain SAN, particularly going the csr route. I have learned on the openssl list that HMN is not directly supported and that you have to use othername. Something like [ req_ext ] subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname [ hmodname ] hwType = OID:1.2.3.4 # Whatever OID you want. hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex But I am not sure what exactly to do with hwType and hwSerialNum Are there any extant examples? Currently there is no way to feed any SAN value in at the command like 'openssl req'. It has to go into the config file, so once I work out WHAT to but into these fields, I will have to do some kludgly stuff to stuff values into the config then run the command. There are examples of this around for SANs of IP, DNS, etc. BTW, so far I have a simple guide for making a pki of ECDSA certs using openssl. I would be willing to share what I have done todate. The 802.1AR cert section is understandably incomplete... Bob
- [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz