Reputation: 6288
SubjectAltName with otherName and BITSTRING as hex
I'm trying to add a otherName to the subjectAltName with a BITSTRING given in hex format. According to ASN1_generate_nconf the format should be FORMAT:HEX,BITSTRING:0123456.... But this fails with:
Error Loading command line extensions 139796908598592:error:0D0B20C2:asn1 encoding routines:ASN1_generate_v3:unknown tag:../crypto/asn1/asn1_gen.c:94: 139796908598592:error:220A4093:X509 V3 routines:a2i_GENERAL_NAME:othername error:../crypto/x509v3/v3_alt.c:492: 139796908598592:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=otherName:2.5.4.45;FORMAT:HEX,BITSTRING:1234567890
I'm using OpenSSL 1.1.1f. I assume the comma is the problem. I have already tried:
Everything on the command line:
openssl req -newkey -x509 -subj "/CN=Test" -nodes -out test.pem -addext "subjectAltName=otherName:2.5.4.45;FORMAT:HEX,BITSTRING:1234567890"
Providing a config:
openssl req -newkey -x509 -subj "/CN=Test" -nodes -out test.pem -extensions SAN -config <(printf "[SAN]\nsubjectAltName=otherName:2.5.4.45;FORMAT:HEX,BITSTRING:1234567890")
Upvotes: 0
Views: 577
Answers (1)
Reputation: 38771
It is indeed the comma. Quoting the man page for x509v3_config
Multi-valued extensions have a short form and a long form. The short form is a comma-separated list of names and values: ...
The long form allows [actually: requires] the values to be placed in a separate section: ...
If an extension is multi-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. ...
Also -x509 requires an argument, and even though you use -subj to specify the subject name, the config file must still contain a section for distinguished_name -- but it can be empty.
Combined:
openssl req -newkey rsa:2048 -keyout keyfile -nodes -x509 -subj "/CN=test" -config <(cat <<END
[req]
distinguished_name=dn
x509_extensions=ext
[dn]
[ext]
subjectAltName=@san
[san]
otherName=2.5.4.45;FORMAT:HEX,BITSTRING:12345678
END
)
Incidentally openssl knows the name x500UniqueIdentifier for 2.5.4.45, and using that might be clearer to users or maintainers.
Upvotes: 1
Related Questions
- Subject Alternative Name not present in certificate
- Subject Alternative Name is not copied to signed certificate
- Reading an "otherName" value from a "subjectAltName" certificate extension
- Specify Subject Alternative Name when generating a self signed certificate
- conversion of subject name into x509_name format
- SubjectAltName is not getting added in the CSR
- SubjectAltName otherName with binary value
- How do you add a subjectNameAlt extension to X509_REQ?
- OpenSSL Get Subject Alternative Name from certificate
- x509 certificate subject alternative name