Examples of adding Private Enterprise Numbers (PEN's) Extensions to CSR
Jakob Bohm
jb-openssl at wisemo.com
Fri Oct 15 13:06:00 UTC 2021
On 2021-10-14 18:43, Philip Prindeville wrote:
> Hi,
>
> I need to generate CSR's with some Extensions included that use our PEN's as allocated by IANA.
>
> Are there any examples of this?
>
> Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a STACK_OF(X509_EXTENSION) but it doesn't seem to actually iterate through the stack... Is this code even correct? What am I missing? Ditto for X509_REQ_add_extensions().
>
> Thanks,
>
> -Philip
>
I don't know how to do this via the API, but the source code for the
command line tools may give some good clues. Here is how I would do it
with the command line tools:
First of all, you need to (administratively) decide how to subdivide
your private OID tree belowyour enterprise ID. This would be a
company internal document listing how you use the OIDsand where to
put future OIDs of various kinds. Use whatever document editing
system is usedfor other long term company documents. Something like:
Redfish solutions has been allocated the following OID prefix
via the IANA "Enterprise numbers"process:
RedfishOid = 1.3.6.1.4.1.9999999
We subdivide this as follows:
RedfishOid.1 = Redfish X.509 extensions
RedfishOid.1.1 = FooBar extension, see design document RS12345
RedfishOid.1.2 = BazQux extension, see design document RS12346
RedfishOid.2 = Redfish SNMP extensions
RedfishOid.2.1 = Redfish hardware-box-A SNMP extensions
RedfishOid.3 = Redfish contributions to public standardisation efforts
RedfishOid.4 = Redfish internal LDAP extensions used by HR
Next for the OpenSSL command line tools, you need to add the individual
X.509 relatedOIDs to the openssl.cnf file:
In the [default] section:
oid_section = new_oids
In the [new_oids] section
RedFishFooBar=1.3.6.1.4.1.9999999.1.1
RedFishBazQux=1.3.6.1.4.1.9999999.1.2
From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list