I know how to create x509 certificates with the openssl command line. But now I want to create one with a custom extension. How can I do this with openssl command line?
Openssl Custom Extension
command-line-interfaceopensslx509
Related Topic
- Php – OpenSSL extension for PHP in Ubuntu
- OPENSSL Save x509 certificate of a website
- Debian – Building curl, httpd and others with custom openssl build, while avoiding default system openssl
- Is it possible to generate openssl configuration file from an existing x509 certificate
- OpenSSL – Convert PEM to CRT with Intermediate Certificates
- Error when trying to add custom extensions to X509 certificates using openSSL
- OpenSSL Error on Windows 10 – Convert Signed CSR from PEM to CRT
Best Answer
Here's an example for adding a set of S/MIME client capability extensions when signing an S/MIME user cert, taken from an example on the OpenSSL mailing list:
This is activated by, amongst other ways, using
openssl
command-line option-extensions my_cert_extensions
.There are two more pieces to the puzzle:
If you wish to add text using an existing extension it's usually a little easier, if you have:
CA_default
is used during the normal CA signing, if you can use a pre-defined extension then all you have to do is add it to theusr_cert
section, no extra command line options required. (nsComment
is technically deprecated, but it still works, it's a simple example and is easily viewable within certificate properties in common browsers).See the
x509v3_config
man page which explains extensions basics, and the OpenSSL source crypto/objects/objects.txt for the somewhat cryptic details (this file is processed and used to generate code).An OID is typically associated with a discrete concept, like a noun, a verb, an attribute or even something less tangible (like UUIDs, but hierarchical). nsComment has a defined meaning (free-form text comments inside certificates), others like
keyUsage
have stricter semantics.Within OpenSSL the name "nsComment" is mapped to OID 2.16.840.1.113730.1.13, as set in
objects.txt
. Every extension in an X.509v3 certificate has an OID, see https://stackoverflow.com/questions/15299201/asn-1-octet-strings .If there is no suitable extension in OpenSSL (see RFC 5280 ยง4.2 Certificate Extensions), you may be able to find one and add it (see the "Arbitrary Extensions" section in the
x509v3_config
man page linked above). Otherwise you will need to define OIDs for your own purposes.