You will need to create a configuration
file for OpenSSL to use. You can obtain a simple configuration file by
using the OpenSSL Command Tool on our PKI Widgets website (https://pkiwidgets.quovadisglobal.com/scriptgen/openssl.aspx).
Within your configuration file, you must first define the section where your OIDs will be listed:
oid_section = {OIDSectionName}
[data] can be anything you wish. Just ensure that you do not include any spaces Here's an example:
oid_section = my_oids
Once you have specified this, then you will need to create the section and list the custom OID(s):
[ {OIDSectionName} ]
{OIDName} = {x.x.x.xx}
{OIDSectionName} is once again, what you specified in the oid_section.
{OIDName} is the name of the OID extension.
{x.x.x.xx} is the numbers of the included OID.
Here's our example:
[ my_oids ] OrganizationID=2.5.4.97
Once you have the oid_section, {OIDName} and its numbers specified, you can insert the OIDName into the subject DN:
distinguished_name = dn
[ DN ]
{OIDName} = {data}
{data} is the data that will be put into that field for the request.
OIDs can also be placed other places in the configuration file.
Instead of putting them in the distinguished_name section, you could put
them in the req_extensions:
req_extensions = req_ext [ req_ext ] OrganizationID=2.5.4.97
Note: Keep in mind that oid_section should not be in any other section. It could be in the first line in your configuration file.
Example of a full configuration file:
oid_section = OIDs [ req ] default_bits = 2048 prompt = no encrypt_key = no default_md = sha1 distinguished_name = dn req_extensions = req_ext [ OIDs ] MySensationalOID=1.2.3.45 MyOutstandingOID=2.3.4.56 [ dn ] CN = John Smith emailAddress = john.smith@quovadisglobal.com O = QuoVadis Group C = US MySensationalOID= Support Department [ req_ext ] subjectAltName = email:john.smith@quovadisglobal.com MyOutstandingOID=Hubert Dean
If you were to save this file as my_oids.conf, then the command in OpenSSL to run would be:
openssl req -new -config my_oids.conf -keyout my_private.key -out my.csr
This will provide you both a private key (my_private.key) and a certificate signing request (my.csr).