[Piv-test-cards] More questions about FASC-N in Certs
Krug, Jeff
Specifically for FASC-N, I have been tooling around with it, and I feel like what I have is close, but it doesn't work, and I haven't find anything on the openssl site that clarifies how to specify OCT strings in the config files (for the moment I'm just using some of the FASC-Ns from the test cards, I don't recall which card this is from):
subjectAltName=otherName:2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:0xd6501858289d6dcacc9325a16859a46927c9d45c86501843e2
Before I ask on the openssl lists, I thought I would ask here, since I could imagine this is might be something people here figured out years ago.
Thanks,
Jeff
David A. Cooper
Douglas E. Engert
On 5/16/2013 9:22 PM, Krug, Jeff wrote:
> Thanks for the response to my other question about FASC-N's in certs, as we progress with our demo, we are looking to mimic some PIV style certificates so our demo can be done without , and I was
> curious if anyone here has used openssl to generate a certificate with PIV extension fields? I'm mostly curious about the FASC-N, but if there is a general config that allows one to generate PIV
> style certificates that would also be useful.
OpenSC 0.13 supports NIST 800-73-3 including RSA and EC.
For use with Windows 7 it appears that a CHUID object is needed, and
the CHUID has the FASCN, I have some programs used to create test cards
using OpenSC that add a FASCN to the chuid if you are interested.
>
> Specifically for FASC-N, I have been tooling around with it, and I feel like what I have is close, but it doesn't work, and I haven't find anything on the openssl site that clarifies how to specify
> OCT strings in the config files (for the moment I'm just using some of the FASC-Ns from the test cards, I don't recall which card this is from):
>
> subjectAltName=otherName:2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:0xd6501858289d6dcacc9325a16859a46927c9d45c86501843e2
For the test card I have worked with, I have created the other 3 certs for a card, but never needed
to create the card auth cert with the FASCN.
IN a genreq script I have something like this:
CONF=/tmp/genreq.$$.openssl.conf
SSLEAY_CONFIG="-config $CONF"
export SSLEAY_CONFIG
# sub the user name for CN and UPN and emailaddress
sed -e "s/@@CN@@/$2/" \
-e "s/@@TYPE@@/$KEYID/" \
-e "s/@@EMAIL@@/$EMAILUPN/" \
-e "s/@@UPN@@/$EMAILUPN/" genreq.openssl.conf > $CONF
The genreq.openssl.conf has:
# Will change to the type of cart we are requesting
req_extensions = v3_req@@TYPE@@ # The extensions to add to a certificate request
[ v3_req9A ]
# Extensions to add to a certificate request for login
#basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=otherName:msUPN;UTF8:@@UPN@@
[ v3_req9D ]
# Extensions to add to a certificate request for encrypt
#basicConstraints = CA:FALSE
keyUsage = critical, keyEncipherment
subjectAltName=email:@@EMAIL@@
[ v3_req9C ]
# Extensions to add to a certificate request for signed email
#basicConstraints = CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature
subjectAltName=email:@@EMAIL@@
Adding the 9E cert should be similar using David's comments
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = msSmartcardLogin,clientAuth
The CA (OPenssl or Micrsoft) will add (as needed):
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = msSmartcardLogin,clientAuth
>
> Before I ask on the openssl lists, I thought I would ask here, since I could imagine this is might be something people here figured out years ago.
>
> Thanks,
> Jeff
>
>
>
> _______________________________________________
> PIV-test-cards mailing list
> PIV-test-cards at nist.gov
> https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Krug, Jeff
Thanks,
Jeff
________________________________
From: David A. Cooper [david.cooper at nist.gov]
Sent: Friday, May 17, 2013 10:11 AM
To: Krug, Jeff
Cc: piv-test-cards
Subject: Re: [Piv-test-cards] More questions about FASC-N in Certs
I actually generated all of the certificates for the test PIV Cards using OpenSSL. I just manually added the information for each certificate to the configuration files, so I don't know of any way to create a general configuration file. Below are the portions of the config file for the subjectAltName extensions for test card 1's PIV Authentication certificate and Card Authentication certificate. The differences that I see are that I didn't include "0x" at the beginning of the OCTET STRING value and that I placed the values in a new section rather than on the same line as "subjectAltName=". I don't know if the second part was necessary, so it may be that just deleting the "0x" would be sufficient.
________________________________
subjectAltName=@PIVTestCard1_PIVAuth_SAN
[PIVTestCard1_PIVAuth_SAN]
otherName.1=1.3.6.1.4.1.311.20.2.3;UTF8:32015465737401 at upn.example.com<mailto:otherName.1=1.3.6.1.4.1.311.20.2.3;UTF8:32015465737401 at upn.example.com>
otherName.2=2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D6501858289D6DCACC9325A16859A46927C9D45C86501843E2
________________________________
subjectAltName=@PIVTestCard1_CardAuth_SAN
[PIVTestCard1_CardAuth_SAN]
otherName=2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D6501858289D6DCACC9325A16859A46927C9D45C86501843E2
________________________________