How do I add additional information to a Certificate Authority Request (CSR)?
I am using OpenSSL to create a Certificate Authority Request (CSR).
The standard fields are:
Common Name: John Doe
Organization: MyCompany Inc.
Organization: Sales
Locality: SF
State: California
Country: USA
Email: john.doe@mycompany.com
However, I want to add my own fields to the certificate, for example:
GroupId: 348348923
EmployeeLevel: class 3
What is the correct way to do this before I ask a certification authority (CA) to sign the CSR?
source to share
All fields that you describe are subject elements in the X509 CSR. They are actually OIDs (usually displayed by their short name). You can find a list of them here . It takes several things to do what you need to do. First, you have to define the OID you want to map to your short names. There are several ways to do this, but if you want to be technically unique, you must request an IANA Enterprise Number ( Personal Assignment List ).
If you really don't need such a thing, you can cheat and just create your own makeup # in section 1.3.6.1.4.1.X of course, but I would recommend using a very large #.
Once you have done that, you can define the OIS OpenSSL mappings in conf or any other tool you can use. Of course, if you look at the resulting certificate in everything that your own mappings aren't aware of, you won't see "GroupId", but instead you will see something like "1.3.6.1.4.1.3838483483.1 = class 3".
It should be noted that if you send this CSR to any publicly trusted CA (not your own CA), there is a very, very high chance that they will leave unknown fields.
Chances are, of course, that you don't necessarily want to do any of this. If you need to encode these values in a certificate, I would suggest either referring directly to your own OID or choosing from a wide variety of infrequently used predefined object identifiers that already have name mappings.source to share