Articles in Root

Inserting Custom OIDs into OpenSSL

Solution

You will need to create a configuration file for OpenSSL to use.  You can obtain a simple configuration file by using the OpenSSL Command Tool on our PKI Widgets website (https://pkiwidgets.quovadisglobal.com/scriptgen/openssl.aspx).
 
Within your configuration file, you must first define the section where your OIDs will be listed:
oid_section = {OIDSectionName}

[data] can be anything you wish. Just ensure that you do not include any spaces  Here's an example:
oid_section = my_oids

Once you have specified this, then you will need to create the section and list the custom OID(s):
[ {OIDSectionName} ]

{OIDName} = {x.x.x.xx}

{OIDSectionName} is once again, what you specified in the oid_section.
{OIDName} is the name of the OID extension.
{x.x.x.xx} is the numbers of the included OID.
 
Here's our example:
[ my_oids ]

OrganizationID=2.5.4.97

Once you have the oid_section, {OIDName} and its numbers specified, you can insert the OIDName into the subject DN:
distinguished_name = dn

[ DN ]

{OIDName} = {data}

 
{data} is the data that will be put into that field for the request.
 
OIDs can also be placed other places in the configuration file.  Instead of putting them in the distinguished_name section, you could put them in the req_extensions:
req_extensions = req_ext

[ req_ext ]

OrganizationID=2.5.4.97

 
Note: Keep in mind that oid_section should not be in any other section.  It could be in the first line in your configuration file.
 
Example of a full configuration file:
oid_section = OIDs

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn
req_extensions = req_ext

[ OIDs ]
MySensationalOID=1.2.3.45
MyOutstandingOID=2.3.4.56

[ dn ]
CN = John Smith
emailAddress = john.smith@quovadisglobal.com
O = QuoVadis Group
C = US
MySensationalOID= Support Department

[ req_ext ]
subjectAltName = email:john.smith@quovadisglobal.com
MyOutstandingOID=Hubert Dean

If you were to save this file as my_oids.conf, then the command in OpenSSL to run would be:
openssl req -new -config my_oids.conf -keyout my_private.key -out my.csr
This will provide you both a private key (my_private.key) and a certificate signing request (my.csr).