On Fri, Jan 01, 2010, Martin Kaiser wrote: > Hi Michael, all, > > Thus wrote michaelfmichaelf (michael_fur...@hotmail.com): > > > 2) Where can I find the example for otherName in ASN1 format? > > Unfortunately, the example shown in the link above does not contain the ASN1 > > format: > > > subjectAltName=otherName:1.2.3.4;UTF8:some other identifier > > I've never actually used this so I can just make some guesses. According > to RFC3280, the ASN.1 definition of otherName is > > OtherName ::= SEQUENCE { > type-id OBJECT IDENTIFIER, > value [0] EXPLICIT ANY DEFINED BY type-id } > > So the example above seems to point in the right direction. I've just > done a test with > > mar...@askja:~/tmp$ cat alt.ext > subjectAltName=otherName:1.3.6.1.5.5.7.1.99;BITSTRING:deadbeef > > mar...@askja:~/tmp$ openssl x509 -req -in testReq.pem -out testCert.pem \ > -signkey testKey.pem -extfile alt.ext > Signature ok > subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd > Getting Private key > > This seemed to work. ASN.1 part of the certificate is as follows > > 513 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) > <04 1B> > 518 27: OCTET STRING, encapsulates { > <30 19> > 520 25: SEQUENCE { > <A0 17> > 522 23: [0] { > <06 08> > 524 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 1 26' > <A0 0B> > 534 11: [0] { > <03 09> > 536 9: BIT STRING 'deadbeef' > : } > : } > : } > : } > > Unfortunately, > > mar...@askja:~/tmp$ openssl x509 -in testCert.pem -noout -text > > just displays > > X509v3 extensions: > X509v3 Subject Alternative Name: > othername:<unsupported> > > > Which information do you want to encode in otherName? >
Currently OpenSSL doesn't display any otherName values. It can't know the preceise meaning of that field in general because the format could be totally arbitrary. At best it could asn1parse the contents. More extensive documentation on the format is here: http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html# Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org