On Fri, Mar 14, 2003, Aleix Conchillo Flaque wrote: > hi, > > i've been looking at the archives list trying to search how to add > additional extensions to certificates. > > i found the thread "Adding Application Attributes to X509 Certificates?" > that is about what i'm asking but using openssl commands and openssl > configuration file. eventhoug, i don't know if "Brian Skrab" who was > asking on how to do it, finally solved it. > > my questions are: > > 1) I'd like to add an additional (attribute,value) pair to a > certificate, can i use any OID? RFC 2459 suggests to follow IANA or > ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do > i need to follow the same conventions? if so, where can i find them? >
Using any OID is not recommended because the OID may already be used for another purpose. If you want a custom OID for your organization you should get an OID tree allocated, for example: http://www.isi.edu/cgi-bin/iana/enterprise.pl > 2) I'd also like to add an extended key usage, the oid is defined in > openssl as follows: > > #define OBJ_ext_key_usage OBJ_id_ce,37 > > can i use for my extended key usage? whould this follow the > conventions on question 1? > > #define OBJ_MY_ext_key_usage OBJ_id_ce,37,1 > See my answer to question 1. If you want your own usage you can add an OID from your own tree. > 2) Once i have and OID, should i use this functions to add an extension > to a certificate? > > X509_EXTENSION_create_by_OBJ > X509_EXTENSION_set_object > X509_EXTENSION_set_critical > X509_EXTENSION_set_data > > and > > X509_add_ext > > any help would be appreciated, thanks in advance. > If the OID is your own then you can add whatever you want to a certificate. However you should add a DER ASN1 structure and not just raw data. If you are using the standard OpenSSL tools to create the certificate (ca, req etc) then you can use the DER option to add custom extension data provided you've worked out a valid encoding. In OpenSSL 0.9.8-dev you can also use its mini-ASN1 compiler and do things like: my_extension=ASN1:UTF8:My custom extension value See doc/openssl.txt for more info. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]