Inserting Custom OIDs into OpenSSL
Solution
You will need to create a configuration file for OpenSSL to use. You can obtain a simple configuration file by using the OpenSSL Command Tool on our PKI Widgets website (https://pkiwidgets.quovadisglobal.com/scriptgen/openssl.aspx).
Within your configuration file, you must first define the section where your OIDs will be listed:
oid_section = {OIDSectionName}
[data] can be anything you wish. Just ensure that you do not include any spaces Here’s an example:
oid_section = my_oids
Once you have specified this, then you will need to create the section and list the custom OID(s):
[ {OIDSectionName} ]
{OIDName} = {x.x.x.xx}
{OIDSectionName} is once again, what you specified in the oid_section.
{OIDName} is the name of the OID extension.
{x.x.x.xx} is the numbers of the included OID.
Here’s our example:
[ my_oids ]
OrganizationID=2.5.4.97
Once you have the oid_section, {OIDName} and its numbers specified, you can insert the OIDName into the subject DN:
distinguished_name = dn
[ DN ]
{OIDName} = {data}
{data} is the data that will be put into that field for the request.
OIDs can also be placed other places in the configuration file. Instead of putting them in the distinguished_name section, you could put them in the req_extensions:
req_extensions = req_ext
[ req_ext ]
OrganizationID=2.5.4.97
Note: Keep in mind that oid_section should not be in any other section. It could be in the first line in your configuration file.
Example of a full configuration file:
oid_section = OIDs
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn
req_extensions = req_ext
[ OIDs ]
MySensationalOID=1.2.3.45
MyOutstandingOID=2.3.4.56
[ dn ]
CN = John Smith
emailAddress = john.smith@quovadisglobal.com
O = QuoVadis Group
C = US
MySensationalOID= Support Department
[ req_ext ]
subjectAltName = email:john.smith@quovadisglobal.com
MyOutstandingOID=Hubert Dean
If you were to save this file as my_oids.conf, then the command in OpenSSL to run would be:
openssl req -new -config my_oids.conf -keyout my_private.key -out my.csr
This will provide you both a private key (my_private.key) and a certificate signing request (my.csr).