On Wed, Jan 12, 2011 at 10:19:59PM -0800, Scott Thomas wrote:
> Bonjour All,
>
> First i explain the scenarion. My domain name is lets say idtech.com. Under
> it i
> have created an ou=certificate users. Users are created under this OU.
> So my FQDN of a user is CN=scott,OU=Certificate Users,DC=idtech,DC=com. Same
> FQDN is in the subject of the user certificate & SC logon is working fine.
>
> If i want to add some custom attributes in the Subject of X.509 certificate ,
> lets say NIC=148795-89759 & EmpNo=AQ5116494.
> then my Subject can become :
> CN=scott,NIC=148795-89759,EmpNo=AQ5116494,OU=Certificate
> Users,DC=idtech,DC=com
>
> Is it possible in OpenSSL ?
Yes.
You need your own root OID.
I used 1.2.3.4.5.6.7 as a sample.
Put the following into your openssl.cnf
------------------------------------------
[ new_oids ]
NIC=1.2.3.4.5.6.7.8
EmpNo=1.2.3.4.5.6.7.9
[ req_distinguished_name ]
NIC = The NIC of the user
NIC_default = 148795-89759
EmpNo = Employer number
EmpNo_default = AQ5116494
------------------------------------------
You probably also need to add this OIDs to the Software displaying
and evaluating the certificate.
On the other hand, to create rfc3280 compliant certificates
one could use "title" or "pseudonym" like:
[ req_distinguished_name ]
title = The NIC of the user
pseudonym = Employer number
Christian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
