At 09:52 29.11.2001 +0000, you wrote: >Hi Guys, > >I have come accross an issue here, where some fellow designers want to >generate an x.509 certificate for use with OpenSSL, but they want to >specifically bind the generated cert to only be used with one individual >IP address. Is this possible? I have been doing a bit of reading up on >X.509 cert format, and I have yet to see any field or part of the cert, >which would contain an IP address value, or allow the cert to be used only >with a specific IP address. > >I had alsways thought that the cert was independent of the network >configuration of the machine it was being used on, but is this always the case? > >Cheers, > >Brian
Yes, it is possible. If you have read the spec and missed it, the subjectAltName field is a X509 v3 extension, OID 2.5.29.17. You may store an IP address there. This is very useful for IPSec, the standard for encrypting IP packets. As IP packet are sent from one IP address to another, is makes very much sense to use the IP address as the primary identity for authentication. Using the subjectAltName seems to be far more popular than putting the IP address in the subjectDN, as CN. Jörn Sierwald ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
