Extension-Specific Policy Module ReferenceChapter 11 Policies 527GenericASN1ExtThe GenericASN1Ext plug-in module enables you to add custom extensions tocertificates. Using this policy, you can add as many ASN.1 type based-extensionsas required without having to write any code. Further, it eliminates thedependency on the command-line tools for generating base-64 encoded standardextensions from the x.509 extension classes.The generic extension policy in CMS accepts custom extensions in the form ofobject identifiers (OIDs) and values as DER-encoded extension values. That is, forthe server to add a custom extension to certificates it issues, you need to first definethe extension and then configure the server with extension details.Similar to a standard extension, you define a custom extension by defining an OIDand a ASN.1 structure.• The OID must be specified in the dot-separated numeric component notation(for example, 2.5.29.35). Although you can invent your own OIDs for thepurposes of evaluating and testing the server, in a production environment,you should comply with the ISO rules for defining OIDs and for registeringsubtrees of IDs. See Appendix H, “Object Identifiers” for information onallocating private OIDs.• The ASN.1 structure must be constructed from a sequence of DER-encodedextension values.The resulting extension would look similar to the way a standard extensionappears in certificates (as defined in RFC 2459):Extension ::= SEQUENCE {extnID OBJECT IDENTIFIER,critical BOOLEAN DEFAULT FALSE,extnValue OCTET STRING }In the policy configuration, the extnID field is defined by the oid parameter, thecritical field is defined by the critical parameter, and the extnValue field isdefined by evaluating the expression in the pattern parameter, which in turn isdefined by the attribute parameters. See Table 11-24 on page 529 for details onindividual parameters.Typically, the application receiving the certificate checks the extension ID todetermine if it can recognize the ID. If it can, it uses the extension ID to determinethe type of value used. When adding your custom extension to certificates, keep inmind that if the extension exists in a certificate and if it is marked critical, the
