How to issue certificate to an entity with custom DN format?

Question

In our application we generate certificates for internal entities like platform and user. Our internal entities are identified by custom DNs:

• Platform DN: p=platformName
• User DN: cn=userName,p=platformName

We tried to generate X.509 certificate for platform or user with popular tools like openssl, keytool, implementation of javax.security (BouncyCastle), e.g.:

keytool -genkey -dname "p=platformName" -alias platformName

However, those tools do not accept/recognize keyword "P" or require certain keywords like "CN" in certificate subject DN.

How to issue certificate to an entity with custom DN format?

Note: We do not need to have DNs containing standard keywords (CN, OU, etc.), because all certificates will be for internal use of our products (will not be validated by 3rd party or included in certificate chain).

Answer 1

We do not need to have DNs containing standard keywords (CN, OU, etc.)

How to issue certificate to an entity with custom DN format?

The attributes or fields displayed are a presentation level detail. There is no distinguished DN field per se. The fields used to form the DN are a mashup of other attributes and are arbitrarily chosen. The common ones are C, O, OU, CN, etc.

Attributes or fields like C, O, OU, CN have well known OIDs associated with them. There are other OIDs you can use that are recognized by tools. For example, the ITU's X.520 list hundreds of them. There are other standards that declare them too. For example, the email address attribute is from PKCS 9 and has an OID of 1.2.840.113549.1.9.1.

As Burhan Khalid stated, you can even add your own name/value pairs by making up OIDs (some hand waiving). However, other presentation tools won't know how to display them. That is, they won't know the "friendly name".

Because other tools don't recognize your OID for platform (or "p=..."), that's why you are getting ... those tools do not accept/recognize keyword "P". The tools don't know how to deal with your custom attributes.

Answer 2

I can only speak for openssl, as I am not familiar with other tools.

From the openssl docs

ASN1 OBJECT CONFIGURATION MODULE

This module has the name oid_section. The value of this variable points to a section containing name value pairs of OIDs: the name is the OID short and long name, the value is the numerical form of the OID. Although some of the openssl utility sub commands already have their own ASN1 OBJECT section functionality not all do. By using the ASN1 OBJECT configuration module all the openssl utility sub commands can see the new objects as well as any compliant applications.

So what you have to do is create these oids in /etc/openssl.conf or wherever the file is for your platform, then openssl will not give you the Subject attribute p has no known NID, skipped message, which I suspect is what you are getting now.