CODEWITHSUNDEEP
ssl-certificatex509certificatex509digital-certificatescep
Ajay
Ajay

Reputation: 23

create x509v3 certificate with custom extension CSR issue

Im trying to add a custom Extension to a CSR using openssl API's: 

struct stack_st_X509_EXTENSION *exts = NULL;
X509_EXTENSION *ex;
exts = sk_X509_EXTENSION_new_null();
ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
nid = OBJ_create("2.5.29.41", "CompanyName", "Company Name");
ASN1_OCTET_STRING_set(os,"ABC Corp",8);   
ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os );
sk_X509_EXTENSION_push(exts, ex);
X509_REQ_add_extensions(x, exts);

I request for certificate and I recieve the certificate through SCEP request. (Windows 2008 server) Later When I parse the certificate , I see that the extension displayed is still the OID and not the extension name "Company Name"

X509v3 extensions:  
2.5.29.41: 
        ABC Corp

Am I adding the extension in the correct way? How to get the extension name in the certificate ?

Please help friends..

Upvotes: 0

Views: 2717

Answers (2)

Mats
Mats

Reputation: 8638

The name of an extension is not saved in the certificate. Only its OID.

Certificate viewers have a short table of known extensions and their name. When displaying an extension in the table, the name is used, otherwise just the OID is shown. In this case the viewer you use does not have a stored name for that extension.

The OBJ_create() call adds an OID to an OpenSSL’s internal table of named OIDs. This name is not used when saving the certificate.

Upvotes: 0

Crypt32
Crypt32

Reputation: 13954

It is expected behavior. Your extension with OID=2.5.29.41 is non-standard to Windows, therefore you see only OID value. You should not care about this fact as long as your client application has knowledge about this extension and can parse its contents.

Though, I have a strong suspect that you are using this extension wrongly. From what I have found, OID=2.5.29.41 stands for basicAttConstraints certificate extension. Reference: http://oidref.com/2.5.29.41. I found sample implementation in Java: Class BasicAttConstraint. The value is expected to be integer and its meaning is similar to PathLength attribute of the Basic Constraints certificate extension. But you are setting a string there. This makes zero sense.

Upvotes: 1

Related Questions