On Wed, Jun 30, 2010, Christian Hohnstaedt wrote: > Hi Mag, > > On Tue, Jun 29, 2010 at 06:43:24PM -0700, Mag wrote: > > I'm interested in using custom OIDs for private application purposes. > > I've found the documentation to be deficient. > > > > For instance, in openssl.cnf it gives an example line of > > [ new_oids ] > > #testoid1=1.2.3.4 > > > > When I uncomment that line I can't even tell what the effect is; e.g., > > "openssl req ..." doesn't then prompt me for a testoid1 field. Just > > what is the effect of this supposed to be? > > The effect is that openssl now knows a name for this OID. > > If you want a DN entry with this OID, add it as above in [ new_oids ], > go to section [ req_distinguished_name ] and add the lines: > > testoid1 = What a great new OID > testoid1_default = Guess what > >
Just to add a brief clarification as this thread has answered most of the issues already. If you want a DN component then the above syntax is fine. OpenSSL will use a DirectoryString for the component if nothing else is defined internally, which will happen in this case. If you want an extension then you need to make use of the mini-ASN1 compiler to add the appropriate fields. Note that if you add a new OID name in this way it only affects that instance of OpenSSL: other applications and other instances of OpenSSL will still display the numeric version of the OID and they wont display the fields of an extension as they don't know how to parse and display it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
