1

I need to add the following SAN to a certifacate:

oid:1.2.3.4.5.5

My normal certificate creation process is to generate an openssl.cnf file, then using this file generate a csr (certificate signing request), and then generate a certificate from the csr using my own CA.

The .cnf file is a plain text file which contains a section describing all the SANs that I would like included in the csr and eventually the crt. That section looks like this:

...
[san]
DNS.1 = foo.bar
DNS.2 = baz.foobar
IP.1 = 1.1.1.1
IP.2 = 2.2.2.2
...

I have tried inserting the OID entry 3 different ways:

attempt 1) OID.1 = 1.2.3.4.5.5
attempt 2) DNS.3 = 1.2.3.4.5.5
attempt 3) IP.3 = 1.2.3.4.5.5

With 1) I get an error when trying to generate the certificate, indicating that the prefix OID is unrecognized. With 2) and 3) I am able to generate the crt, but when I put it in place the SAN oid:1.2.3.4.5.5 is not supported.

So, I am wondering what the correct syntax would be for adding such and entry to the Subject Alternative Names section of an openssl.cnf file.

Cheers!

user1797466
  • 507
  • 6
  • 14
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Jun 28 '16 at 15:51

3 Answers3

5

Based on Steffen Ullrich's answer, this version correctly specifies the OID identifier in a complete example:

subjectAltName=@san
[san]
DNS.1=foo.example.com
DNS.2=bar.example.com
RID.1=1.2.3.4.5.5

Alternatively, do it on one line:

subjectAltName=DNS:foo.example.com,DNS:bar.example.com,RID:1.2.3.4.5.5

This is particularly useful when combined with https://security.stackexchange.com/a/91556 to pass -config options to the CLI without using a .cnf file.

Xuor
  • 292
  • 4
  • 12
1

From the documentation of the config file:

otherName can include arbitrary data associated with an OID: the value should be the OID followed by a semicolon and the content in standard ASN1_generate_nconf format.

Examples:

subjectAltName=otherName:1.2.3.4;UTF8:some other identifier

or with your example of having a SAN section it should be

subjectAltName=@san
[san]
DNS.1=foo.example.com
DNS.2=bar.example.com
otherName.1=1.2.3.4;UTF8:some other identifier
Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
0

My difficulty was adding otherName, but work:

openssl req -sha1 -x509 -newkey rsa:2048 -keyout private_key.pem -out certificate.pem -days 99999 -nodes  -subj "/C=BR/ST=DF/L=Distrito Federal/O=Brasilia/CN=Company name:88022130000176" -extensions san -config <(echo "[req]";echo distinguished_name=req;echo "[san]";echo extendedKeyUsage=clientAuth,emailProtection;echo subjectAltName=email:company@company.com.br, otherName:2.16.76.1.3.3\;UTF8:88022130000176;)

openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out company.pfx -name "Self signed certificate for Company"

The ; in the otherName punished me :)

I needed to escape...

This helped me too: How to generate a self-signed SSL certificate using OpenSSL?

Tested at openssl versions:

❯ openssl version
LibreSSL 2.8.3

# openssl version
OpenSSL 1.1.1n  15 Mar 2022
Marcos de Melo
  • 51
  • 5