I need to create and sign (I am CA) certificate with custom subject (, SERIALNUMBER=...,).
So far I have modified openssl config file so I am able to inclde custom fields in subject.
[ new_oids ]
SERIALNUMBER = 1.2.3.4.1333
Problem is, that after signing such certificate new fields appear in that strange number format -
C = FI
O = Maahanmuuttovirasto
1.2.3.4.1333 = 00REINIS00
where and what should I change in my openssl config file to generate certificate with normal field names? How do I tell to signing process that 1.2.3.4.1333 should be encoded as 'SERIALNUMBER'.
Thank you, Beef
That is actually no error at all. What gets stored in the certificate's subject is a DistinguishedName. Cf. RFC 5280
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }
So the subject is a Name
, this is defined as
Name ::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- DEFINED BY AttributeType
So as you can see, the subject consists of a sequence of RelativeDistingsuishedNames, that each represent a pair of an oid plus the assigned value. That implies that nowhere in your certificate 'SERIALNUMBER' will be stored, but only the value for the oid, 1.2.3.4.1333. It's up to applications to interpret these oids as something meaningful and there are a number of common oids that most applications know and will represent using a string, such as "C", "O", "OU", "CN" and so on ( cf. RFC 2253 or RFC 1779).
But 'SERIALNUMBER' is unknown to OpenSSL by default, in fact, you are adding it to new_oids
yourself. Due to this, OpenSSL does not know how to represent 'SERIALNUMBER' other than by printing the OID itself. But any other software that is aware of 'SERIALNUMBER' (IIRC Windows/IE is) will display this correctly as being the value of 'SERIALNUMBER'.