I hit the wall some time ago trying the same ... adding my custom data to the certs.
Certainly this email back then would have come in handy.
Anyway, just a remark ... the pain in the ass, when you generate the certificate and add your V3 extension (ass explained in one of the links), is having to manually encode the value as DER ... it is easy for a small number ... even for a short string ... but beyond that, it is just too much. Does anybody know of some software that does that automatically? i mean ... provide a string/int/bool ... return the hex DER encoded version.
Regards,
Cesc
On 10/19/05, Katie Lucas <[EMAIL PROTECTED]> wrote:
On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote:
> Hi,
> is there a way to add custom data (fields?) to SSL certificates ? If
> so, where can i find more documentation about it ?
There's not a huge amount of documentation about this. Several things
I've found;
You need an ASN.1 OID to add your data under. We ended up using the
service at http://www.itu.int/ITU-T/asn1/ to generate and register an
oid under {joint-iso-itu-t(2) uuid(25)} under which we can then
generate our opwn oids.
You then get a huge long code which you can use in a call to
OBJ_create(YOUR_OID, SHORTNAME, LONGNAME)
which gets you a "nid". The "nid" is the thing that you use to create
& read X509V3 extensions in the certificates.
You need to explain to openssl what format the extension field is. The
easiest way to do this is to call
X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID)
passing in some field which is the same sort of style as yours.
There's an example in the O'Reilly openssl book (the source is
available as a download at http://www.opensslbook.com/code.html) about
how to sign certificates, and along the way add extensions, and you
can add your own in at that point.
You make a stack of extensions, put your extensions into the stack, add
the stack to the request, sign the request.
Reading them is fairly easy once you've got a nid. You go;
X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM);
Probably with START_FROM= -1, unless you're trying to find the second
occurance of a field. This gives you -1 for not found, or a position.
You then go
X509_get_ext(CERTIFICATE,POSITION);
And it'll get you the extension. There's then things to read the data
out of it, and get its name and so on, which are all
X509_EXTENSION_xxx type functions.
Once you know the function calls to be looking for, it all gets a bit
easier!
There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt
Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
