Adding custom extensions (x509_extension) to your certificate

[ray v]

Hi all!

I'm writting this up to help those that my wish to
insert thier own values into the extension section of
a certificate for use on internal applications. I do
not know yet what the outcome will be when using these
extension with main stream compliant applications.

In the begining I didn't quite know what to ask being
new to openssl. I just new I needed to add three
fields and equate each to a value. I needed to do this
on a certificate request that my CA didn't generate. I
needed my information to appear in the x509 extension
of the newly created certificate.

--wanted to thank the guys who help me out!
Special thanks to Dr. Stephen Henson and Charles
Cranston for patiently answer my obviously newbie
questions. Thanks for the guidance!

Anyways, I was all over the map with my questions,
everything from modifying the DN to add my fields, to
trying to patch the openssl code.

You can't modify the DN if you don't create the key
and request yourself. Patching the openssl code won't
work because we would have to maintain a special
version of openssl for all in house systems. I would
be nice if openssl could read OID information from an
external database. 

What follows is how I got it to work for me.

So here's my example certificate output

---------------example -------------
  RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                   
00:ac:5a:a9:d8:a9:bf:2c:71:98:2f:b2:07:3d:18:
                   
bc:b5:92:18:2e:ed:1e:89:aa:5a:98:44:a2:9a:21:
                   
34:08:b3:ed:7b:9c:05:bf:eb:19:fe:6d:08:59:aa:
                   
87:7b:d0:f6:b4:88:8d:47:e4:f0:0f:39:ce:bf:7f:
                   
df:d9:fc:a2:3e:ac:b5:16:fe:76:e6:0b:99:24:65:
                   
3e:e2:39:fb:15:d4:9a:85:7e:38:a1:de:13:68:03:
                   
08:b2:1c:f5:37:6b:7b:1a:1a:6c:97:58:c9:00:0f:
                   
83:fa:ca:8d:6a:14:c6:60:56:5d:92:be:59:fc:fc:
                    a6:7a:9a:d1:b7:a2:24:be:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:        <--- x509 ext
            1.3.6.1.4.1.9999.1002: <--my OID
                user_id=test   <--my field + val

-------------------------------------

--------------extfile------------

extensions = extend

[extend]
1.3.6.1.4.1.11039.1002 =
DER::70:72:6F:76:69:xx:xx:xx:xx:xx:xx:xx:xx:65:73:74:0A

------------------------------------
openssl command I used...

openssl x509 -req -extfile extfile -days 180 -CA
certs/ca.crt -CAkey private/ca.key -CAcreateserial -in
test.csr -out test.crt

Here's the tool I used to convert my DER: section into
HEX
http://sec.angrypacket.com/code/hex0r.pl
thanks [EMAIL PROTECTED]

Hopefully this helps someone!

thanks again to the group!
cheers!






                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]