How to generate certificate request including generic (arbitrary) extension using OpenSSL?

Question

I have been searching the web for few houres and I cannot find a way to do this. I have already been able to create self-signed CA certificate using these commands:

openssl genrsa -out ca.key 1024
openssl req -new -x509 -extensions v3_ca -key ca.key -out ca.crt -days 3650

Now I want to create new certificate and sign it with my CA. In the new certificate I want to have my own extension - we can call it "abc" to have an integer value of "1". I tried the following command:

openssl req -new -nodes -newkey rsa -extensions abc -keyout mycert.key -out mycsr.csr -days 365 -config ./openssl.cnf

While using the openssl.cnf file including only this:

[ abc ]

abc = ASN1:INTEGER:1

I get following error

Error Loading extension section abc
3073632456:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:
3073632456:error:22074073:X509 V3 routines:V3_GENERIC_EXTENSION:extension name error:v3_conf.c:271:name=abc

I found this vaguely related topis here on SO, but it does not help at all...

What seems to be the problem? How can I correct myself? Any thoughts appreciated.

Answer 1

Your error is in param abc extension name error:v3_conf.c:271:name=abc not section [abc]. You cannot write abc = ... If you see in a config something like this policyConstraints = ... this mean keyword policyConstraints has own OID (2.5.29.36 see http://www.oid-info.com/get/2.5.29.36) and it precompiled in the library. So what you can do 1. Try to find an existing OID that suitable for you and write them instead of abc. 2. Define your own OID (Just replace 1.2.3.4 instead of abc) but such certificate cannot be used in other system.