Menu
I need to create and sign (I am CA) certificate with custom subject (, SERIALNUMBER=...,).
So far I have modified openssl config file so I am able to inclde custom fields in subject.
[ new_oids ]
SERIALNUMBER = 1.2.3.4.1333
Problem is, that after signing such certificate new fields appear in that strange number format -
C = FI
O = Maahanmuuttovirasto
1.2.3.4.1333 = 00REINIS00
where and what should I change in my openssl config file to generate certificate with normal field names? How do I tell to signing process that 1.2.3.4.1333 should be encoded as 'SERIALNUMBER'.
Thank you, Beef
216
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) : subjectAltName must always be used (RFC 3280 4.2. 1.7, 1. paragraph). CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
That is actually no error at all. What gets stored in the certificate's subject is a DistinguishedName. Cf. RFC 5280
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }
So the subject is a Name, this is defined as
Name ::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- DEFINED BY AttributeType
So as you can see, the subject consists of a sequence of RelativeDistingsuishedNames, that each represent a pair of an oid plus the assigned value. That implies that nowhere in your certificate 'SERIALNUMBER' will be stored, but only the value for the oid, 1.2.3.4.1333. It's up to applications to interpret these oids as something meaningful and there are a number of common oids that most applications know and will represent using a string, such as "C", "O", "OU", "CN" and so on ( cf. RFC 2253 or RFC 1779).
But 'SERIALNUMBER' is unknown to OpenSSL by default, in fact, you are adding it to new_oidsyourself. Due to this, OpenSSL does not know how to represent 'SERIALNUMBER' other than by printing the OID itself. But any other software that is aware of 'SERIALNUMBER' (IIRC Windows/IE is) will display this correctly as being the value of 'SERIALNUMBER'.
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
