Examples of adding Private Enterprise Numbers (PEN's) Extensions to CSR

Jakob Bohm jb-openssl at wisemo.com
Fri Oct 15 13:06:00 UTC 2021

On 2021-10-14 18:43, Philip Prindeville wrote:
> Hi,
> I need to generate CSR's with some Extensions included that use our PEN's as allocated by IANA.
> Are there any examples of this?
> Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a STACK_OF(X509_EXTENSION) but it doesn't seem to actually iterate through the stack...  Is this code even correct?  What am I missing?  Ditto for X509_REQ_add_extensions().
> Thanks,
> -Philip
I don't know how to do this via the API, but the source code for the
command line tools may give some good clues.  Here is how I would do it
with the command line tools:

First of all, you need to (administratively) decide how to subdivide
your private OID tree belowyour enterprise ID.  This would be a
company internal document listing how you use the OIDsand where to
put future OIDs of various kinds.  Use whatever document editing
system is usedfor other long term company documents.  Something like:

    Redfish solutions has been allocated the following OID prefix
    via the IANA "Enterprise numbers"process:

    RedfishOid =

    We subdivide this as follows:

    RedfishOid.1 = Redfish X.509 extensions
    RedfishOid.1.1 = FooBar extension, see design document RS12345
    RedfishOid.1.2 = BazQux extension, see design document RS12346
    RedfishOid.2 = Redfish SNMP extensions
    RedfishOid.2.1 = Redfish hardware-box-A SNMP extensions
    RedfishOid.3 = Redfish contributions to public standardisation efforts
    RedfishOid.4 = Redfish internal LDAP extensions used by HR

Next for the OpenSSL command line tools, you need to add the individual
X.509 relatedOIDs to the openssl.cnf file:

    In the [default] section:
    oid_section = new_oids

    In the [new_oids] section

 From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list