Custom certificate extension / struggling with ASN.1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Custom certificate extension / struggling with ASN.1

Liße, Jan (TEVEGE)

i have the requirement to embed a custom extension in a X.509 certificate. This extension should carry
role information about the role of the certificate owner.
A single role should be expressed with a IA5String value like "User". It must be possible
for a user to have multiple roles like "User", "Administrator" etc.
I want to register a custom OID for my role attribute.
This is the asn.1 definition:

Extension ::= SEQUENCE {
        extnID = {custom OID}
        critical = false
        extnValue ::= OCTET STRING (CONTAINING Role)

Role ::= IA5String

(I'm don't know how to specify in ASN.1 Syntax that Role can have multiple values...)

Now when it comes to certificate creation with openssl i'm not sure how to enter
my extension and its value(s) correctly into the cert. I read the manpage of ASN1_generate_nconf
and openssl.txt but i'm still confused. Here is what i think i have to do:

Add the new oid to openssl.cnf, [ new_oids ] as
my_role_extension = x.x.x.x.x

and later enter the value(s)


Is the 2nd step correct? Especially when it comes to enter multiple
values (in this example User and Administrator) for the same field (role)? Is the syntax correct?

Thanks in advance for any help!


OpenSSL Project                       
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]