On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote: > Hi, > is there a way to add custom data (fields?) to SSL certificates ? If > so, where can i find more documentation about it ?
There's not a huge amount of documentation about this. Several things I've found; You need an ASN.1 OID to add your data under. We ended up using the service at http://www.itu.int/ITU-T/asn1/ to generate and register an oid under {joint-iso-itu-t(2) uuid(25)} under which we can then generate our opwn oids. You then get a huge long code which you can use in a call to OBJ_create(YOUR_OID, SHORTNAME, LONGNAME) which gets you a "nid". The "nid" is the thing that you use to create & read X509V3 extensions in the certificates. You need to explain to openssl what format the extension field is. The easiest way to do this is to call X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID) passing in some field which is the same sort of style as yours. There's an example in the O'Reilly openssl book (the source is available as a download at http://www.opensslbook.com/code.html) about how to sign certificates, and along the way add extensions, and you can add your own in at that point. You make a stack of extensions, put your extensions into the stack, add the stack to the request, sign the request. Reading them is fairly easy once you've got a nid. You go; X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM); Probably with START_FROM= -1, unless you're trying to find the second occurance of a field. This gives you -1 for not found, or a position. You then go X509_get_ext(CERTIFICATE,POSITION); And it'll get you the extension. There's then things to read the data out of it, and get its name and so on, which are all X509_EXTENSION_xxx type functions. Once you know the function calls to be looking for, it all gets a bit easier! There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
