I must have something wrong in the configuration file and there dont seem
to be samples to cover additional OIDs. I just want to know how to use the
'oid_section' in the openssl.cnf file correctly. Btw, I am simply adding
the OCSPsigning extendedKeyUsage attribute to the cert. I can do that but
not using the oid that I defined.

I tried adding the following lines to the standard (supplied) openssl.cnf

[ CA_default ]
oid_section = oids
[ oids ]
OCSPsigning =
[ ocsp_cert ]
extendedKeyUsage = OCSPsigning

Note: the sections have other stuff in them also - I am just showing the

Then running:
openssl ca -in csr.pem -out xcert.pem -extensions ocsp_cert
gives output:

Error Loading extension section ocsp_cert
2920:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too
2920:error:2206706E:X509 V3 routines:V2I_EXTENDED_KEY_USAGE:invalid object
ifier:.\crypto\x509v3\v3_extku.c:135:section:,name :OCSPsigning,value:
2920:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
o\x509v3\v3_conf.c:93:name=extendedKeyUsage, value=OCSPsigning

If I switch to:
[ ocsp_cert ]
extendedKeyUsage =

It works fine giving output:

Certificate Details:
X509v3 extensions:
X509v3 Extended Key Usage:
OCSP Signing

How do I get the oid_section to work so I can use those oids that I


Simon McMahon

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org