3

I have the following questions related to OpenSSL Private OID support:

  1. By going through the openssl configurations and other artifacts on the internet, I found that OpenSSL supports configuring Private OIDs, but I am not clear how to specify the syntax of the values for the attributes associated with those OIDs?
  2. Is it possible for me to configure that the private OIDs configured by me should be used only in Subject Name or Issuer Name of the Certificate and not for other fields or for any other Object?
Jay
  • 24,173
  • 25
  • 93
  • 141

2 Answers2

5

You can define short names on OIDs inside an oid_section like so myOid = 1.2.3.4

To define what form you want the defined OID to take you can add definitions at the top level of the openssl.cnf file (not inside any block). These definitions use the mini-ASN.1 compiler that was added in OpenSSL 0.9.8.

1.2.3.4=critical,ASN1:UTF8String:Some random data

You can also look at the syntax of the mini-ASN.1 compiler or the OpenSSL docs on generating arbitrary extensions.

I'm not familiar with a way to prevent OpenSSL from allowing defined OIDs to be used anywhere, but remember that the OIDs you define in your openssl.cnf will appear as raw OIDs to any relying party that parses these certificates without the benefit of your definitions.

For example, if you define 1.3.6.1.4.1.808808080.1 as "myOid". When parsing a certificate with that in the subject DN on the system you've configured it will appear as /CN=something/O=something else/myOid=myValue while on other systems it will appear as /CN=something/O=something else/1.3.6.1.4.1.808808080.1=myValue.

Paul Kehrer
  • 13,466
  • 4
  • 40
  • 57
  • Thanks for your reply. So, let's say, I add a new OID 1.2.3.4, but I want this OID to be used only in Subject and Issuer fields and not in other fields, there is no way, I can specify this in OpenSSL right? It will be used for all fields where OIDs are applicable. right? – Jay Feb 01 '13 at 05:24
  • Correct, there's no way to prevent that to my knowledge. – Paul Kehrer Feb 01 '13 at 16:59
  • This is not entirely true. If you distribute this same config, or at least the part of a config where new OIDs are defined, and if it is used when dissecting the CSR or certificate, one will see your OID names. E.g. `openssl req -config oids.conf -in your.csr -noout -text` will show textual attribute names, while without -config it will show digits. – Nikita Kipriyanov Aug 06 '23 at 17:51
-1

Beyond the technical aspect, I'm not sure if you cannot run into legal issues, if your definition once surfaces to the public and conflicts with reserved OIDs. Seems, that there is no hurdle to publically allocate an OID space.

Also there are predefined experimental spaces.

Is there reserved OID space for internal enterprise CAs?

Sam Ginrich
  • 661
  • 6
  • 7