Re: Subject alternative name problem

Wed, 22 Sep 2010 09:04:01 -0700 

Vinay Kumar L wrote:

Hi all,
I have to generate a KDC certificate containing Subject alternative name extension using openssl which includes the following details: 
**************************************************************************************************
The KDC's X.509 certificate MUST contain name of the realm for that KDC and the principal name of the KDC (defined in RFC 1510bis) as the SubjectAltName version 3 extension. Below is the definition of this version 3 extension, as specified by the X.509 standard: 
    subjectAltName EXTENSION ::= {
        SYNTAX GeneralNames
        IDENTIFIED BY id-ce-subjectAltName
    }
    GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName

    GeneralName ::= CHOICE {
         otherName      [0] OtherName,
         ...
    }
    OtherName ::= SEQUENCE {
         type-id        OBJECT IDENTIFIER,
         value          [0] EXPLICIT ANY DEFINED BY type-id
    }
For the purpose of specifying a Kerberos principal name, the value
in OtherName MUST be a KerberosName, defined as follows:
    KerberosName ::= SEQUENCE {
         realm          [0] Realm,
         principalName  [1] PrincipalName
    }
This specific syntax is identified within subjectAltName by setting
the type-id in OtherName to krb5PrincipalName, where (from the
Kerberos specification) we have
    krb5 OBJECT IDENTIFIER ::= { iso (1)
                                 org (3)
                                 dod (6)
                                 internet (1)
                                 security (5)
                                 kerberosv5 (2) }
    krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
*************************************************************************
Please suggest SAN details that must be included in openssl.cnf for generating KDC certificate containing above mentioned details as a part of Subject Alternative Extension in kdc certificate. I have generated KDC certificate by including following lines in openssl.cnf: 
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt

Is is enough to include the above lines in opensssl.cnf while generating kdc 
certificate
to add Subject Alternative Extension which satisfies the requirements mentioned 
in the beginning?
Please guide me.

Regards,
Vinay


princ2 = GeneralString:${ENV::REALM}

Reply via email to