RE: Custom Attributes in the Subject of X.509 Certificate

Fri, 14 Jan 2011 14:52:30 -0800 

Your best off getting a private assigned number for this (or rather, the root 
of all your organization's OIDs). Look at 
http://www.iana.org/assignments/enterprise-numbers
________________________________________
From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on 
behalf of Christian Hohnstaedt [christ...@hohnstaedt.de]
Sent: Thursday, January 13, 2011 11:21 PM
To: openssl-users@openssl.org
Subject: Re: Custom Attributes in the Subject of X.509 Certificate

On Wed, Jan 12, 2011 at 10:19:59PM -0800, Scott Thomas wrote:
> Bonjour All,
>
> First i explain the scenarion. My domain name is lets say idtech.com. Under 
> it i
> have created an ou=certificate users. Users are created under this OU.
> So my FQDN of a user is CN=scott,OU=Certificate Users,DC=idtech,DC=com. Same
> FQDN is in the subject of the user certificate & SC logon is working fine.
>
> If i want to add some custom attributes in the Subject of X.509 certificate ,
> lets say NIC=148795-89759 & EmpNo=AQ5116494.
> then my Subject can become :
> CN=scott,NIC=148795-89759,EmpNo=AQ5116494,OU=Certificate 
> Users,DC=idtech,DC=com
>
> Is it possible in OpenSSL ?

Yes.

You need your own root OID.
I used 1.2.3.4.5.6.7 as a sample.

Put the following into your openssl.cnf

------------------------------------------
[ new_oids ]
NIC=1.2.3.4.5.6.7.8
EmpNo=1.2.3.4.5.6.7.9

[ req_distinguished_name ]
NIC                             = The NIC of the user
NIC_default                     = 148795-89759
EmpNo                           = Employer number
EmpNo_default                   = AQ5116494

------------------------------------------

You probably also need to add this OIDs to the Software displaying
and evaluating the certificate.

On the other hand, to create rfc3280 compliant certificates
one could use "title" or "pseudonym" like:

[ req_distinguished_name ]
title                           = The NIC of the user
pseudonym                       = Employer number


        Christian

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to