How can I custom extensions in x.509 cert?

Question

I need add some value in cert extension field, such as add an extension named "num" to indicate something's count. But it seems we can only add some standard extension type which is defined with registed oid. If there is a way to custom a new extension type or creat a map between my new oid and the registed extension oid

  File "C:\Users\xm\AppData\Local\Programs\Python\Python310\lib\site-packages\cryptography\x509\base.py", line 885, in sign
    return rust_x509.create_x509_certificate(self, private_key, algorithm)
NotImplementedError: Extension not supported: 1.1.1.1

Answer 1

The OID's are tightly controlled so you just can't use any number you like. If you wish to your your own set of numbers you need to allocate a Private Enterprise Numbers (PEN) controlled by IANA. Companies can allocate a PEN number here (it's free). Once you have a PEN number you will not clash with any other already allocated OID's.

You OID will look like 1.3.6.1.4.1.X where X is the PEN allocated to you. This will be your root OID number that you allocate any sub-number you like.

I like to allocation company funcational areas under your root and then specific values under then.

i.e. 1.3.6.1.4.1.X.F.V where X is the PEN allocated to you, F is the funcational area of the company and V is the value number. e.g. 1.3.6.1.4.1.1.1.1

I also like to setup a openssl configuation file so that it translates the custom OID's to useful text when dumping the certifiate files.