Subject alternative name issue:INFO

Tue, 21 Sep 2010 23:32:24 -0700 

Hi all,

I have generated  KDC certificate using openssl for PKINIT 
implementation. Following lines were included in openssl.cnf while 
generating KDC certificate containing Subject Alternative Extension.

 # Add id-pkinit-san (pkinit subjectAlternativeName)

subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

But when i tried to view the contents of KDC certificate using following 
command: 
*openssl asn1parse -in KDC.cert.pem, *it looked as shown below*
*
690:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Issuer Alternative Name
695:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
699:d=4  hl=2 l= 102 cons: SEQUENCE
701:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
706:d=5  hl=2 l=  95 prim: OCTET STRING      [HEX 
DUMP]:305DA05B06062B0601050202A051304FA0141B12474C4F42414C45444745534F46542E434F4DA1373035A003020102A12E302C1B166B64632E676C6F62616C65646765736F66742E636F6D1B12474C4F42414C45444745534F46542E434F4D
803:d=1  hl=2 l=  13 cons: SEQUENCE

I tried asn1parse -strparse also:
*openssl asn1parse -strparse 706 -in KDC.cert.pem, *it looked as shown below
*
*0:d=0  hl=2 l=  93 cons: SEQUENCE
2:d=1  hl=2 l=  91 cons: cont [ 0 ]
4:d=2  hl=2 l=   6 prim: OBJECT            :1.3.6.1.5.2.2
12:d=2  hl=2 l=  81 cons: cont [ 0 ]
14:d=3  hl=2 l=  79 cons: SEQUENCE
16:d=4  hl=2 l=  20 cons: cont [ 0 ]
18:d=5  hl=2 l=  18 prim: GENERALSTRING
38:d=4  hl=2 l=  55 cons: cont [ 1 ]
40:d=5  hl=2 l=  53 cons: SEQUENCE
42:d=6  hl=2 l=   3 cons: cont [ 0 ]
44:d=7  hl=2 l=   1 prim: INTEGER           :02
47:d=6  hl=2 l=  46 cons: cont [ 1 ]
49:d=7  hl=2 l=  44 cons: SEQUENCE
51:d=8  hl=2 l=  22 prim: GENERALSTRING
75:d=8  hl=2 l=  18 prim: GENERALSTRING*

*My queries are:

a) Whether the lines (above mentioned) included in openssl.cnf for adding 
Subject Alternative name in KDC certificate are correct?

b) Does Subject Alternative Extension included in KDC certificate(By adding 
above mentioned lines in openssl.cnf) contains REALM name and kdc principal 
name?

c) What is the openssl command to view the contents of Subject Alternative Name 
extension(Printable form) in KDC certificate at konsole as the above mentioned 
openssl commands(
*openssl asn1parse -in KDC.cert.pem, openssl asn1parse -strparse 706 -in 
KDC.cert.pem*) prints the SAN contents in hex form?

Please guide me.

Regards,
Vinay

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to