x509certificatepolicypkioid

Long OID issue inside X509 certificate


We have a CA issuing certificates with "Certificate Policy" extension including our organization public OID.
The problem is: unfortunately Organization policy id (OID) is too long (some part of OID) in order to be parsed in some programming languages like Go. Thus there are many important, well known and familiar tools that could not load or use our certificates in any case like as a SSL/TLS certificate.
Our Subordinate CAs have this issue too. And we are looking for a solution to address this issue. Is there still any method to use existing policy inside certificate? Like segment OID or shorten OID ?


Solution

  • You're out of luck I'm afraid.

    RFC 5280 Appendix B states the following about any OBJECT IDENTIFIER:

    Object Identifiers (OIDs) are used throughout this specification to identify certificate policies, public key and signature algorithms, certificate extensions, etc. There is no maximum size for OIDs. This specification mandates support for OIDs that have arc elements with values that are less than 2^28, that is, they MUST be between 0 and 268,435,455, inclusive. This allows each arc element to be represented within a single 32-bit word. Implementations MUST also support OIDs where the length of the dotted decimal (see Section 1.4 of [RFC4512]) string representation can be up to 100 bytes (inclusive). Implementations MUST be able to handle OIDs with up to 20 elements (inclusive). CAs SHOULD NOT issue certificates that contain OIDs that exceed these requirements. Likewise, CRL issuers SHOULD NOT issue CRLs that contain OIDs that exceed these requirements.

    While there is no maximum size for these OIDs, implementations do not have to support infinite sized OIDs.

    If your OIDs are longer, then your CA needs to take heed of the penultimate sentence of the above paragraph.

    Section 6.1.3(d)(1)(i) of the RFC defines policy processing and only refers to matching OIDs. There is no concept of segment or shorten OIDs I'm afraid.

    Your only option is to re-issue with shorter OIDs.