4

I have been creating some certificates for testing purposes. All was going well until I needed to include an x500UniqueIdentifier in the subject of the certificate. Its easy enough to specify the field x500UniqueIdentifier in the configuration file, however, the generated certificates do not align with the sample ones I have available as underlying ASN.1 type is wrong. I.e. not a BITSTRING.

Consider the openssl configuration file (called leaf.conf):

[req]
default_bits            = 256
default_md              = sha256
distinguished_name      = req_dn
prompt                  = no
encrypt_key             = no

[req_dn]
OU                      = 00
x500UniqueIdentifier    = SomeText

and the following commands:

openssl genrsa -out testkey.pem
openssl req -x509 -new -config leaf.conf -key testkey.pem -outform pem -out test.pem
openssl x509 -in test.pem -noout -subject

It prints out the subject as:

subject= /OU=00/x500UniqueIdentifier=SomeText

All good!

However, inspecting the ASN.1 code produced we see that the x500UniqueIdentifier has been encoded as a PrintableString. What I would like to do is encode it as a BITSTRING. Moreover, I dont want ASCII text I want to specify a sequence of bytes as hex. That is, I would like to do something like this:

[req_dn]
OU                      = 00
x500UniqueIdentifier    = ASN1:BITSTRING:HEX:0123456789

However, OpenSSL always seems to encode it as a string (including the ASN1: part). Looking at the man pages for OpenSSL provided an insight to the above, particularly the part relating to encoding arbitrary x509v3 extensions.

I know this is possible as I have some sample certificates (not created with OpenSSL), and I believe this is possible by directly interfacing with the OpenSSL API in C, but I was hoping there was a simpler way.

Any suggestions would be appreciated.

kazza
  • 365
  • 3
  • 11

1 Answers1

2

The sweet taste of victory after solving my own problem.

In a nut shell, openssl command line application does not support what I was trying to do. The ASN.1 notation is only supported for the v3 extensions. Had I read the man pages better I would have seen the following:

Any additional fields will be treated as though they were a DirectoryString.

see for more info: https://www.openssl.org/docs/manmaster/apps/req.html

However the related question: Certificate subject X.509 provided enough of a hint to suggest that what I wanted to do was not silly. Mainly, the specification for X.520 defines unique identifiers as BITSTRINGS, not DirectoryStrings.

So in the end I whipped up a little patch for OpenSSL that handles x500UniqueIdentifier correctly, and the configuration file can be written as:

[req_dn]
OU                      = 00
x500UniqueIdentifier    = 0x0123456789

In case of any other person trying this, the patch can be found here: http://pastebin.com/ua1uebTD

Community
  • 1
  • 1
kazza
  • 365
  • 3
  • 11