I need to add the following SAN to a certifacate:
oid:1.2.3.4.5.5
My normal certificate creation process is to generate an openssl.cnf file, then using this file generate a csr (certificate signing request), and then generate a certificate from the csr using my own CA.
The .cnf file is a plain text file which contains a section describing all the SANs that I would like included in the csr and eventually the crt. That section looks like this:
...
[san]
DNS.1 = foo.bar
DNS.2 = baz.foobar
IP.1 = 1.1.1.1
IP.2 = 2.2.2.2
...
I have tried inserting the OID entry 3 different ways:
attempt 1) OID.1 = 1.2.3.4.5.5
attempt 2) DNS.3 = 1.2.3.4.5.5
attempt 3) IP.3 = 1.2.3.4.5.5
With 1) I get an error when trying to generate the certificate, indicating that the prefix OID is unrecognized. With 2) and 3) I am able to generate the crt, but when I put it in place the SAN oid:1.2.3.4.5.5 is not supported.
So, I am wondering what the correct syntax would be for adding such and entry to the Subject Alternative Names section of an openssl.cnf file.
Cheers!
Based on Steffen Ullrich's answer, this version correctly specifies the OID identifier in a complete example:
subjectAltName=@san
[san]
DNS.1=foo.example.com
DNS.2=bar.example.com
RID.1=1.2.3.4.5.5
Alternatively, do it on one line:
subjectAltName=DNS:foo.example.com,DNS:bar.example.com,RID:1.2.3.4.5.5
This is particularly useful when combined with https://security.stackexchange.com/a/91556 to pass -config options to the CLI without using a .cnf file.