0

i will deploy a fleet of offline only deviced to the field. They will authenticate to each other with a x509 TLS certificate signed by a custom chain, which each will hold inside of a hardware crypto element.

Is there a field in a x509 certificate that is widely used for storing a device type and serial number?

The common name (CN) could be used, but is checked for a valid domain by some libraries automatically which disqualifies it in my point of view.

Adding a custom certificate extension seems to also be not ideal as some libraries might not support this, as i have read.

Is there a field that is widely supported and can be used for arbitrary userdata?

gaiuscosades
  • 1
  • 2
  • 1
    *The common name (CN) could be used, but is checked for a valid domain by some libraries automatically which disqualifies it in my point of view.* Not if you have a valid Subject Alternative Name on the cert. Use of the CN for validation has been deprecated for 20 years. – Andrew Henle Dec 24 '21 at 13:11
  • [RFC 2818, section 3.1, dated ***May 2000***](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1): "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. ... In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI." – Andrew Henle Dec 24 '21 at 13:16
  • Interesting, thanks. Is it legal to store a .local domain inside the Subject Alternative Name field? As the certificates are used also as client certs no other data would make sense to me. If using it for a hostname is depricated for the CN, what should it be used for at this time, meaning could it be used for a device identifier? – gaiuscosades Dec 24 '21 at 13:37
  • Do you know the difference between client certs and server certs? *Client* certificates were never checked for valid domain because that doesn't make sense for the client side. But there is a field just for serial numbers, so you can use that. – President James K. Polk Dec 24 '21 at 18:42
  • I do not know of a specific difference in the data contained, only that the hostnames are not checked for clients at connection establishment. But as all my certificates shall be used as both server/client i can view all as server certs as far as i am concerned. As to the serial number field i thought that this field can only contain numbers which is a bit restrictive and seems "hacky" when a device family/type/serialnumber shall be encoded, but is of couse possible. – gaiuscosades Dec 24 '21 at 19:54

0 Answers0