On Fri, Feb 21, 2003, Hadmut Danisch wrote: > Hi, > > I have a question about defining arbitrary extensions. > I want to generate certificates with a new extension, so > I defined something like > > [ OIDs ] > > kurz = 1.3.6.1.4.1.11009 > > > but it doesn't work as expected: > > - If I have an entry like > > kurz = "kurz" > > in an distinguished_name section, > > openssl req asks for that entry and puts it in > the name field. > > But when dumping the cert with openssl x509 ...-text > it shows always the oid instead of a short name. > > How can I teach "openssl x509" to show the short name > instead of the oid? > >
Before OpenSSL 0.9.7 there wasn't any way to do this, other than modifying the source to add the new object to OpenSSLs library. In 0.9.7 and later you can use the (experimental) config modules. To do this in openssl.cnf add a line: openssl_conf=init_section in the first part (before any sections). Then add something like: [init_section] oid_section=asn1_oids [asn1_oids] whatever_oid=1.2.3.4 to then end of the config file. The objects added should then be visible to all applications of the 'openssl' utility. > > - Putting a line in an extension section, this always > results in an error message. > > How can I have a new extension included in the certificate? > > The supported extensions have code in openssl to translate the extension string(s) into the appropriate encoding and print them out. The error message is because OpenSSL doesn't have any code corresponding to your new extension OID. There isn't a way to add arbitrary extension code to any released versions of OpenSSL other than by manually working out the encoding yourself and using the DER option. However in 0.9.8-dev there is a mini-ASN1 compiler so you can do things like: 1.2.3.4=UTF8:some extension string Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
