====== X509 PKI ======

===== subjectAlternativeName =====
  * GoLinuxCloud
    * [[https://www.golinuxcloud.com/openssl-subject-alternative-name/| Steps to generate CSR for SAN certificate with openssl]]
    * [[https://www.golinuxcloud.com/things-to-consider-when-creating-csr-openssl/| Things to consider when creating CSR with OpenSSL]]
  * [[https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line|Provide subjectAltName to openssl directly on the command line]]
  * [[wp>Subject Alternative Name]]

===== OIDs and ASN1 =====
  * [[https://www.encryptionconsulting.com/education-center/what-is-an-oid| What is an Object Identifier (OID) in PKI? How do you obtain an OID?]]
  * [[http://oid-info.com/|OID Repository]]
  * [[https://serverfault.com/questions/551477/is-there-reserved-oid-space-for-internal-enterprise-cas/551479#551479|Is there reserved OID space for internal enterprise CAs?]]
  * [[https://knowledge.digicert.com/quovadis/ssl-certificates/csr-generation/inserting-custom-oids-into-openssl.html|Inserting Custom OIDs into OpenSSL]] — contains error or outdated information; in the last example one should specify syntax like this: ''MyOutstandingOID=ASN1:UTF8String:Hubert Dean'' in the last line of the config for it to work with modern OpenSSL
  * [[https://stackoverflow.com/questions/14623335/how-to-specify-the-syntax-for-values-of-private-oids-while-configuring-in-openss|How to specify the Syntax for Values of Private OIDs while configuring in OpenSSL?]] — contains an explanation of the problem in previous point
  * OpenSSL manual pages:
    * [[https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html|x509v3_config (5)]] --- on adding arbitrary extensions
    * [[https://www.openssl.org/docs/man1.1.1/man3/ASN1_generate_nconf.html|ASN1_generate_nconf]] -- specifying OID syntaxes and input file data format

===== Other =====
  * [[https://security.stackexchange.com/questions/106257/alternatives-to-htmls-deprecated-keygen-for-client-certs/|Alternatives to HTML's deprecated <keygen> for client certs?]] — generating certificates in a browser
  * [[https://www.wikihow.com/Be-Your-Own-Certificate-Authority| How to Be Your Own Certificate Authority]] --- contains outdated and/or suboptimal suggestions, but great for showing the general strategy