[New in v12.0] To add an arbitrary Extension to a version 3 X.509 certificate, include an attribute-value pair of the form
<dotted-decimal>=#<hexstring> in the szExtensions parameter.
Where <dotted-decimal> is a dotted decimal OID value representing the extnID of the Extension
and <hexstring> is the hexadecimal encoding of each byte of the DER-encoded ASN.1 value of the extnValue,
excluding the encapsulating OCTET STRING tag and length bytes (if you don't understand this, don't use it).
Examples
"2.16.840.1.113730.1.1=#03020410;"
2.16.840.1.113730.1.1 represents the OID for netscape-cert-type and 03020410 is the hexadecimal encoding of the
DER-encoded ASN.1 value BIT STRING with 4 unused bits: '1000'B.
"2.5.29.31=#302d302ba029a0278625687474703a2f2f646f646779636572742e6578616d706c652e636f6d2f657663612e63726c;"
2.5.29.31 represents the OID for cRLDistributionPoints and <hexstring> is the hexadecimal encoding of the
ASN.1 value:
SEQUENCE {
. SEQUENCE {
. . [0] {
. . . [0] {
. . . . [6] 'http://dodgycert.example.com/evca.crl'
. . . . }
. . . }
. . }
. }
Advanced users only. It's up to you to compose a valid DER-encoded ASN.1 value. And, yes, you can use this feature to add an MPEG video of your cat to an X.509 certificate!
",critical" to the hexstring component (no spaces, lowercase only).
For example
"2.5.29.17=#30068704c0a80f01,critical;"
This will add a critical subjectAltName extension (OID 2.5.29.17) with the value IP Address=192.168.15.1.
SEQUENCE {
. OBJECT IDENTIFIER subjectAltName (2 5 29 17)
. BOOLEAN TRUE
. OCTET STRING, encapsulates {
. . SEQUENCE {
. . . [7] C0 A8 0F 01
. . . }
. . }
. }
}