[openssl-users] custom name attributes not sent with certificate

Jakob Bohm jb-openssl at wisemo.com
Fri Feb 6 14:15:29 UTC 2015

On 06/02/2015 00:21, Florence, Jacques wrote:
> I created a client certificate with custom name attributes:
> In the openssl.cnf file, I addedunder section [ new_oids ] the line: 
> myattribute=
> And under [ req_distinguished_name ] I added the line: myattribute = hello
> If I use the openssl tool x509, I see that my new attribute appears in 
> the name, after the email address.
> However, when the certificate is sent to the server, the server cannot 
> read this attribute.
> I used wireshark and saw that my custome attribute is not sent with 
> the rest of the name.
> Why is that ?
Are you sure this is what is really happening?

If any byte in the signed part of the certificate (and this
most certainly includes the name) is changed, the certificate
should completely fail to verify.

So are you sure the name isn't sent?  Maybe it is just the
utility you use to display the sent certificate which fails
to display unknown name components.


I presume that for any real use, you would use an officially
allocated OID to avoid clashing with what other people use.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list