问题
I'm using OpenSSL to generate a Certificate Service Request (CSR).
The standard fields are:
Common Name: John Doe
Organization: MyCompany Inc.
Organization Unit: Sales
Locality: SF
State: CA
Country: US
Email: john.doe@mycompany.com
However I want to add my own fields to the certificate such as:
GroupId: 348348923
EmployeeLevel: Class 3
What is the proper way to do this before I request the Certificate Authority (CA) sign the CSR?
回答1:
All the fields you're describing are subject items in an X509 CSR. They're actually OIDs (usually displayed by their given short name). You can find a list of them here. To do what you want requires a few things. First, you must define an OID that you want to map to your short names. There are several ways to do this, but if you want to guarantee uniqueness technically you should be requesting an enterprise number from IANA (list of private assignments).
If you don't really need that sort of thing you can cheat and just generate your own made-up # under 1.3.6.1.4.1.X of course, but I'd recommend using a very large #.
Once you've done that you can define OpenSSL OID mappings in the conf or whatever other tool you may be using. Of course, if you view the resulting certificate in anything that's unaware of your own mappings you won't see "GroupId" but will instead see something more like "1.3.6.1.4.1.3838483483.1=Class 3".
It should be noted that if you're sending this CSR to any publicly trusted CA (rather than your own private CA) there's a very, very high probability that they will drop any unknown fields.
OF course, chances are you don't necessarily want to do any of this. If you need to encode these values into a certificate I'd suggest either directly referencing your made-up OID or choosing from the wide variety of rarely used predefined subject OIDs that have shortname mappings already.
来源:https://stackoverflow.com/questions/14616686/how-do-i-add-additional-information-to-certificate-service-request-csr