Subject alternative name issue:INFO

Vinay Kumar L vinaykumar.l at globaledgesoft.com
Wed Sep 22 01:49:46 EDT 2010 

Hi all,

I have generated  KDC certificate using openssl for PKINIT 
implementation. Following lines were included in openssl.cnf while 
generating KDC certificate containing Subject Alternative Extension.

 # Add id-pkinit-san (pkinit subjectAlternativeName)

subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

But when i tried to view the contents of KDC certificate using following command: 
*openssl asn1parse -in KDC.cert.pem, *it looked as shown below*
*
690:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Issuer Alternative Name
695:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
699:d=4  hl=2 l= 102 cons: SEQUENCE
701:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
706:d=5  hl=2 l=  95 prim: OCTET STRING      [HEX DUMP]:305DA05B06062B0601050202A051304FA0141B12474C4F42414C45444745534F46542E434F4DA1373035A003020102A12E302C1B166B64632E676C6F62616C65646765736F66742E636F6D1B12474C4F42414C45444745534F46542E434F4D
803:d=1  hl=2 l=  13 cons: SEQUENCE

I tried asn1parse -strparse also:
*openssl asn1parse -strparse 706 -in KDC.cert.pem, *it looked as shown below
*
*0:d=0  hl=2 l=  93 cons: SEQUENCE
2:d=1  hl=2 l=  91 cons: cont [ 0 ]
4:d=2  hl=2 l=   6 prim: OBJECT            :1.3.6.1.5.2.2
12:d=2  hl=2 l=  81 cons: cont [ 0 ]
14:d=3  hl=2 l=  79 cons: SEQUENCE
16:d=4  hl=2 l=  20 cons: cont [ 0 ]
18:d=5  hl=2 l=  18 prim: GENERALSTRING
38:d=4  hl=2 l=  55 cons: cont [ 1 ]
40:d=5  hl=2 l=  53 cons: SEQUENCE
42:d=6  hl=2 l=   3 cons: cont [ 0 ]
44:d=7  hl=2 l=   1 prim: INTEGER           :02
47:d=6  hl=2 l=  46 cons: cont [ 1 ]
49:d=7  hl=2 l=  44 cons: SEQUENCE
51:d=8  hl=2 l=  22 prim: GENERALSTRING
75:d=8  hl=2 l=  18 prim: GENERALSTRING*

*My queries are:

a) Whether the lines (above mentioned) included in openssl.cnf for adding Subject Alternative name in KDC certificate are correct?

b) Does Subject Alternative Extension included in KDC certificate(By adding above mentioned lines in openssl.cnf) contains REALM name and kdc principal name?

c) What is the openssl command to view the contents of Subject Alternative Name extension(Printable form) in KDC certificate at konsole as the above mentioned openssl commands(
*openssl asn1parse -in KDC.cert.pem, openssl asn1parse -strparse 706 -in KDC.cert.pem*) prints the SAN contents in hex form?

Please guide me.

Regards,
Vinay

More information about the Kerberos mailing list