Thank you very much for this info, I was looking for it for ages :) Best regards, Jernej Kos.
On Wednesday 19 of October 2005 12:03, Katie Lucas wrote: > On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote: > > Hi, > > > > is there a way to add custom data (fields?) to SSL certificates ? If > > so, where can i find more documentation about it ? > > There's not a huge amount of documentation about this. Several things > I've found; > > You need an ASN.1 OID to add your data under. We ended up using the > service at http://www.itu.int/ITU-T/asn1/ to generate and register an > oid under {joint-iso-itu-t(2) uuid(25)} under which we can then > generate our opwn oids. > > You then get a huge long code which you can use in a call to > > OBJ_create(YOUR_OID, SHORTNAME, LONGNAME) > > which gets you a "nid". The "nid" is the thing that you use to create > & read X509V3 extensions in the certificates. > > You need to explain to openssl what format the extension field is. The > easiest way to do this is to call > > X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID) > > passing in some field which is the same sort of style as yours. > > There's an example in the O'Reilly openssl book (the source is > available as a download at http://www.opensslbook.com/code.html) about > how to sign certificates, and along the way add extensions, and you > can add your own in at that point. > > You make a stack of extensions, put your extensions into the stack, add > the stack to the request, sign the request. > > > Reading them is fairly easy once you've got a nid. You go; > > X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM); > > Probably with START_FROM= -1, unless you're trying to find the second > occurance of a field. This gives you -1 for not found, or a position. > > You then go > > X509_get_ext(CERTIFICATE,POSITION); > > And it'll get you the extension. There's then things to read the data > out of it, and get its name and so on, which are all > X509_EXTENSION_xxx type functions. > > > Once you know the function calls to be looking for, it all gets a bit > easier! > > There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt > > Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] -- Jernej Kos <[EMAIL PROTECTED]> Unimatrix One ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
