I'm trying to build a PKI using the OpenSSL command line tools. The end entity certificates need to have a custom extension with a custom OID that will hold some additional information. Until now I was able to get the custom extension with my own OID in the certificates, the only problem I'm facing is, that this only adds one field. I need a whole ASN.1 module in there as we see with the standard extensions like Basic Constraints. Is there any way to do so using OpenSSL command line tools and config files?
The following doc shows that it's possible to specify own ASN.1 modules but I can't find a way to get this into a CSR and from there into the certificate. https://www.openssl.org/docs/man1.0.2/man3/ASN1_generate_v3.html
Found it. In the configuration used to create a certificate or a CSR one can use the information given in the above linked man page. The ASN.1 module is described as stated and one can tell OpenSSL to write an extension according to this description by starting with ASN1:Type:NextSection. In the sections describing each level of the ASN.1 module the keyword ASN1 isn't needed anymore.
...
[ usr_ext ]
# Extensions for client certificates (`man x509v3_config`).
keyUsage = digitalSignature
1.2.3.4.5.6.7.8.9 = ASN1:SEQUENCE:CustomExt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[CustomExt]
wrappingSeq = SEQUENCE:ExtOid
key = FORMAT:HEX,BITSTRING:abcdef1234556789
[ExtOid]
oid = OID:1.3.101.110
This ends up encoded as following
SEQUENCE
OBJECT IDENTIFIER 1.2.3.4.5.6.7.8.9
OCTET STRING
SEQUENCE
OBJECT IDENTIFIER 1.3.101.110
BITSTRING 0xabcdef1234556789