0

Im trying to add a custom Extension to a CSR using openssl API's: 

struct stack_st_X509_EXTENSION *exts = NULL;
X509_EXTENSION *ex;
exts = sk_X509_EXTENSION_new_null();
ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
nid = OBJ_create("2.5.29.41", "CompanyName", "Company Name");
ASN1_OCTET_STRING_set(os,"ABC Corp",8);   
ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os );
sk_X509_EXTENSION_push(exts, ex);
X509_REQ_add_extensions(x, exts);

I request for certificate and I recieve the certificate through SCEP request. (Windows 2008 server) Later When I parse the certificate , I see that the extension displayed is still the OID and not the extension name "Company Name"

X509v3 extensions:  
2.5.29.41: 
        ABC Corp

Am I adding the extension in the correct way? How to get the extension name in the certificate ?

Please help friends..

Crypt32
  • 12,850
  • 2
  • 41
  • 70
Ajay
  • 23
  • 2
  • 9

2 Answers2

1

It is expected behavior. Your extension with OID=2.5.29.41 is non-standard to Windows, therefore you see only OID value. You should not care about this fact as long as your client application has knowledge about this extension and can parse its contents.

Though, I have a strong suspect that you are using this extension wrongly. From what I have found, OID=2.5.29.41 stands for basicAttConstraints certificate extension. Reference: http://oidref.com/2.5.29.41. I found sample implementation in Java: Class BasicAttConstraint. The value is expected to be integer and its meaning is similar to PathLength attribute of the Basic Constraints certificate extension. But you are setting a string there. This makes zero sense.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Thanks Crypt32, can I use an OID above 2.5.29.69 ? – Ajay Apr 12 '18 at 15:24
  • Also is there a way I can configure on the windows server to map extension name to this custom OID I am adding to the cert request – Ajay Apr 12 '18 at 15:25
  • I have no idea what you are trying to accomplish. It would be better if you explain what is your task. Otherwise, it is typical XY problem. – Crypt32 Apr 12 '18 at 16:14
  • Hi Crypt32, I am trying to add a custom attribute to x509v3 extensions in the certificate to be requested from a windows 2008 server through SCEP protocol. This is for unique identification of the certificate – Ajay Apr 13 '18 at 02:12
  • You can uniquely identify certificate by a combination o issuer and serial number fields. – Crypt32 Apr 13 '18 at 04:26
  • No, I need a set of devices to be identified as same. For example., all my devices connected to a server when shares its certificate need to have the same attribute and value. This way the server can identify the kind of devices. This is the reason I am having a custom attribute and value. This attribute and its value is fixed for all the certificate requests issued from my devices – Ajay Apr 13 '18 at 05:39
  • For these purposes you can use RDN attributes in subject name. It is easier than inventing custom extension. – Crypt32 Apr 13 '18 at 12:59
  • Hi Crypt32, I am looking at one more issue. Require your help. I am sending a CSR to a server and i am able to succesfully obtain a certificate I am adding a custom attribute OID (2.5.29.70) in SAN X509_EXTENSION *pExtension = X509V3_EXT_conf_nid(NULL, NULL, nid, "DNS:def.com,otherName:2.5.29.70;UTF8:ABC") sk_X509_EXTENSION_push(ext,pExtension); Then I am calling X509_REQ_add_extensions() Finally in my certificate, I get OtherName in SAN as 2.5.29.70=0c 0b 41 42 43 – Ajay May 03 '18 at 12:16
  • I am OK with the OID part. The value is a hex string. How can i make it display in ascii. I am using C++ – Ajay May 03 '18 at 12:16
0

The name of an extension is not saved in the certificate. Only its OID.

Certificate viewers have a short table of known extensions and their name. When displaying an extension in the table, the name is used, otherwise just the OID is shown. In this case the viewer you use does not have a stored name for that extension.

The OBJ_create() call adds an OID to an OpenSSL’s internal table of named OIDs. This name is not used when saving the certificate.

Mats
  • 8,528
  • 1
  • 29
  • 35