Syntax of OID values
Neil Horman
nhorman at openssl.org
Thu Jun 27 14:41:55 UTC 2024
I believe the oid_file key in the config is used by the ca and req applets
and is meant to be a value rather than a section (i.e. oid_file =
/path/to/oid/file/name)
To do what I believe you are trying to do above, you need to follow the
directions here:
https://www.openssl.org/docs/man1.1.1/man5/config.html
by assigning an oid_section like this:
oid_section = my_oid_section_name
And then creating the section:
[my_oid_section_name]
some_new_oid = 1.2.3.4
On Thu, Jun 27, 2024 at 1:48 AM Dvorcovoy Dmitry V. via openssl-users <
openssl-users at openssl.org> wrote:
> I want to make my own tiny rootca.
> There are problem with supporting OIDS. I found in documentation about
> oid_file, but can not decode syntax of values.
> DER: works fine, but I want to use more readeable format.
>
> All I can find is the same docs without a tiny working example how to use
> my defined oids.
> sample:
> [oid_file]
> 1.3.6.1.4.1.311.21.1 msCAversion XCN_OID_CERTSRV_CA_VERSION
> 1.3.6.1.4.1.311.21.4 msCRLNextPublish XCN_OID_CRL_NEXT_PUBLISH
>
> [ca.conf]
> oid_file =oid.txt
> ...
> [ crl_ext ]
> authorityKeyIdentifier=keyid:always
> msCAversion = DER:020101
> msCRLNextPublish = DER:170D3234303930393131333635395A
>
> with these options all works ok.
> >openssl ca -config ca.conf -gencrl -crlexts crl_ext -out crl.pem
>
> but when I try anything like this:
> msCAversion = 1
> msCAversion = INT:01
> msCAversion = INTEGER:0x01
> (and many other combinations)
>
> I'll got the same error:
> Using configuration from ca.conf
> Error checking CRL extension section crl_ext
> 00CEC9A0FA7F0000:error:11000081:X509 V3 routines:do_ext_nconf:unknown
> extension:crypto/x509/v3_conf.c:92:
> 00CEC9A0FA7F0000:error:11000080:X509 V3
> routines:X509V3_EXT_nconf_int:error in
> extension:crypto/x509/v3_conf.c:48:section=crl_ext, name=msCAversion,
> value=INTEGER:0x01
>
> Same with datetime, there are no help about it's format:
> msCRLNextPublish =UTC
> =: UTCTIME:"2024-Sep-09 11:36:59"
> =ANS1.UTCTIME....
>
> How to properly fromat values and please, include it with examples to
> documentation?
>
> And what to do to make -text outpul with readeable format, not just dump
> of OIDs? I think, there have to be some global OID config file, but where
> is it?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240627/96722c21/attachment.htm>
More information about the openssl-users
mailing list