Search code examples
certificateopensslpkix509asn.1

OpenSSL generate and sign certificate with custom subject fields

I need to create and sign (I am CA) certificate with custom subject (, SERIALNUMBER=...,).

So far I have modified openssl config file so I am able to inclde custom fields in subject.

[ new_oids ]
SERIALNUMBER = 1.2.3.4.1333

Problem is, that after signing such certificate new fields appear in that strange number format - 

C = FI
O = Maahanmuuttovirasto
1.2.3.4.1333 = 00REINIS00

where and what should I change in my openssl config file to generate certificate with normal field names? How do I tell to signing process that 1.2.3.4.1333 should be encoded as 'SERIALNUMBER'.

Thank you, Beef

Solution

  • That is actually no error at all. What gets stored in the certificate's subject is a DistinguishedName. Cf. RFC 5280

    TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }

    So the subject is a Name, this is defined as

    Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

AttributeType ::= OBJECT IDENTIFIER

AttributeValue ::= ANY -- DEFINED BY AttributeType

    So as you can see, the subject consists of a sequence of RelativeDistingsuishedNames, that each represent a pair of an oid plus the assigned value. That implies that nowhere in your certificate 'SERIALNUMBER' will be stored, but only the value for the oid, 1.2.3.4.1333. It's up to applications to interpret these oids as something meaningful and there are a number of common oids that most applications know and will represent using a string, such as "C", "O", "OU", "CN" and so on ( cf. RFC 2253 or RFC 1779).

    But 'SERIALNUMBER' is unknown to OpenSSL by default, in fact, you are adding it to new_oidsyourself. Due to this, OpenSSL does not know how to represent 'SERIALNUMBER' other than by printing the OID itself. But any other software that is aware of 'SERIALNUMBER' (IIRC Windows/IE is) will display this correctly as being the value of 'SERIALNUMBER'.