Re: adding extensions to certificates

[Dr. Stephen Henson]

On Fri, Mar 14, 2003, Aleix Conchillo Flaque wrote:

> hi,
> 
> i've been looking at the archives list trying to search how to add
> additional extensions to certificates.
> 
> i found the thread "Adding Application Attributes to X509 Certificates?"
> that is about what i'm asking but using openssl commands and openssl
> configuration file. eventhoug, i don't know if "Brian Skrab" who was
> asking on how to do it, finally solved it.
> 
> my questions are:
> 
> 1) I'd like to add an additional (attribute,value) pair to a
>certificate, can i use any OID? RFC 2459 suggests to follow IANA or
>ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do
>i need to follow the same conventions? if so, where can i find them?
> 

Using any OID is not recommended because the OID may already be used for
another purpose. If you want a custom OID for your organization you should get
an OID tree allocated, for example:

http://www.isi.edu/cgi-bin/iana/enterprise.pl

> 2) I'd also like to add an extended key usage, the oid is defined in
>openssl as follows:
> 
> #define OBJ_ext_key_usage   OBJ_id_ce,37
> 
>can i use for my extended key usage? whould this follow the
>conventions on question 1?
> 
> #define OBJ_MY_ext_key_usageOBJ_id_ce,37,1
> 

See my answer to question 1. If you want your own usage you can add an OID
from your own tree.

> 2) Once i have and OID, should i use this functions to add an extension
>to a certificate?
> 
> X509_EXTENSION_create_by_OBJ
> X509_EXTENSION_set_object
> X509_EXTENSION_set_critical
> X509_EXTENSION_set_data
> 
> and
> 
> X509_add_ext
> 
> any help would be appreciated, thanks in advance.
> 

If the OID is your own then you can add whatever you want to a certificate.
However you should add a DER ASN1 structure and not just raw data. If you are
using the standard OpenSSL tools to create the certificate (ca, req etc) then
you can use the DER option to add custom extension data provided you've worked
out a valid encoding.

In OpenSSL 0.9.8-dev you can also use its mini-ASN1 compiler and do things
like:

my_extension=ASN1:UTF8:My custom extension value

See doc/openssl.txt for more info.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

adding extensions to certificates

[Aleix Conchillo Flaque]

hi,

i've been looking at the archives list trying to search how to add
additional extensions to certificates.

i found the thread "Adding Application Attributes to X509 Certificates?"
that is about what i'm asking but using openssl commands and openssl
configuration file. eventhoug, i don't know if "Brian Skrab" who was
asking on how to do it, finally solved it.

my questions are:

1) I'd like to add an additional (attribute,value) pair to a
   certificate, can i use any OID? RFC 2459 suggests to follow IANA or
   ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do
   i need to follow the same conventions? if so, where can i find them?

2) I'd also like to add an extended key usage, the oid is defined in
   openssl as follows:

#define OBJ_ext_key_usage   OBJ_id_ce,37

   can i use for my extended key usage? whould this follow the
   conventions on question 1?

#define OBJ_MY_ext_key_usageOBJ_id_ce,37,1

2) Once i have and OID, should i use this functions to add an extension
   to a certificate?

X509_EXTENSION_create_by_OBJ
X509_EXTENSION_set_object
X509_EXTENSION_set_critical
X509_EXTENSION_set_data

and

X509_add_ext

any help would be appreciated, thanks in advance.

regards,


aleix

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]