Custom Certificate Extensions


Customized extensions are added and removed in the CA UI System Configuration page on the Custom Certificate Extensions tab. A simple extension only containing a static value can be added using the already implemented class BasicCertificateExtension and more advanced custom extensions can be made available by implementing the org.cesecore.certificates.certificate.certextensions.CustomCertificateExtension interface and making the implementation available on the classpath using Java's ServiceLoader. For more information, refer to By implementing the marker interface and setting property fields and default values, EJBCA can auto-generate a properties table for the extension.

Configuring Custom Certificate Extensions

Certificate extensions are configured on the Custom Certificate Extensions tab (CA UI → System Configuration Custom Certificate Extensions). Only administrators who are granted the access rule '/system_functionality/edit_available_custom_certificate_extensions' are allowed to add and remove custom certificate extensions.

The following properties are available for each extension:




The unique Object Identifier (OID) of the extension. Mandatory value. May also be defined as a Wildcard OID.

Display Name

Display name of the extension in the Edit Certificate Profile page. Mandatory value.

Extension Class

Full class name of the CertificateExtension implementation class. Mandatory value.


Defines if the extension should be marked as critical in the certificate.


By default enabled, making the extension required in the request. Clearing Required allows a request to optionally contain the defined extension. In its absence, it will be ignored.


Properties are inherent to each extension implementation.

When adding a new Custom Certificate Extension, the OID and the Display Name are specified and a new Extension with the following default values is created:

  • Class Path: org.cesecore.certificates.certificate.certextensions.BasicCertificateExtension

  • Critical: False

  • Properties: Empty list of properties

Click on the newly created extension to edit these values.

After extensions have been added, it is possible to select them for a certificate profile on the Edit Certificate Profile page.

Using the Required flag

When an extension is selected to be required (default) and the extension properties dynamic=true is set, a value has to be provided. It can either be a default value, specified in the extension properties, or a value specified as Custom Certificate Extension Data (see below). Sometimes there is a need to specify an extension as optional so the caller (an RA typically) can decide if the extension should be included or not. By setting Required=false an extension with a dynamic value can be excluded by not providing it in the request.

OCSP Must Staple

Example extension configuration for the OCSP Must Staple TLS feature extension:

  • Object Identifier:

  • Label: OCSP Must Staple

  • Extension Class: Basic Certificate Extension

  • Critical: false

  • Required: false

  • Properties:

    • Dynamic: false

    • Encoding: DEROBJECT

    • Value: 3003020105

Or for illustrative purposes, you may also set the following:

  • Properties:

    • Dynamic: true

    • Encoding: DEROBJECT

    • Value: (empty)

Checking Custom certificate extension data in the end entity profile will bring up a Certificate Extension Data entry field when adding/editing end entities.

If this field is left empty (and no static value has been specified for the extension), generating a certificate for the end entity will result in no extension being added to the issued certificate.

Entering the following data in the Certificate Extension Data entry field will add the OCSP Must Staple extension to the issued certificate:

Content in the issued certificate (from dumpasn1 ...):

OBJECT IDENTIFIER '1 3 6 1 5 5 7 1 24'
   OCTET STRING, encapsulates {
       SEQUENCE {
           INTEGER 5

Wildcard OID

The extension OID may be configured as a wildcard, for example, *.1.2.3. Doing this will match the configuration with any requested OID, matching the pattern (thus ending with .1.2.3). Once matched, the dynamic value from the request will be used in the certificate. Since the wildcard in itself is not a valid OID, an actual OID which matches the wildcard must always be present in the request (unless Required is cleared, in which case it is ignored). Hence, wildcard configurations cannot fall back on the defined static value if the extension is missing from the request.

Removing a Custom Certificate Extension

If removing a custom certificate extension, currently in use in a certificate profile, from the list of available extensions in the Custom Certificate Extensions, a warning is displayed listing the certificate profiles using the extension. The extension will not be removed from the certificate profile since it is still used but the removed extension will not be usable or be part of any certificate issued after the removal and will be displayed as OID (No longer used. Please unselect this option) in the Edit Certificate Profile page. To remove an extension in use from the certificate profile, manually clear the extension from the list of Used Custom Certificate Extensions on the Edit Certificate Profile page.

Basic Certificate Extension

In order to create a Basic Certificate Extension, you set the Class Path to 'org.cesecore.certificates.certificate.certextensions.BasicCertificateExtension' (default setting) and specify the properties encoding and value (value is optional if there is a property 'dynamic=true').

The following table lists available encodings and how their value is interpreted.




A string containing the characters '0' and '1'.


A string containing digits only in decimal digits.


A string containing hex data representation.


The string 'true' or 'false'.


A string containing valid printable string characters (a-z, 0-9).


A string in UTF-8 format.


An ASN.1 IA5String containing valid printable string characters (a-z, 0-9).


Empty value, not used.


The hex encoded DER value of the extensions. You can use this to create an extension with sequences etc.


The hex encoded byte array value of the extensions. You can supply any data hex encoded to be used as the extension value bytes, also data that violates RFC5280.

Examples of certificate extensions that you can configure with the BasicCertificateExtension are given in 'src/java/'.

  • MS application policies

  • NetscapeCertType

  • NetscapeComment

  • NetscapeCARevocationURL

  • NetscapeRevocationURL

  • ...

If the property dynamic is configured to true, the extension value may be taken from extension data supplied with the end entity. For more information on how to add extension data using the Admin Web, see Custom Certificate Extension Data.

Implementing an Advanced Certificate Extension

To create an advanced extension, you need to create a Java class extending the CertificateExtension abstract class. The method getValue is required and the current user data, CA and certificate profile are sent to the extension in order to generate dynamic extensions.

If your advanced extension needs to return a byte array that is not necessarily an ASN.1 structure, it is possible to override the getValueEncoded method as this is the method EJBCA will call when adding the extension to the certificate. For more information, refer to

In addition to static values defined Admin Web>System Configuration>Custom Certificate Extensions, it is also possible to get values from the extension data in the end entity's extended information store. A good choice is to use the extension oid as a prefix to the key of the property to associate the value with this extension.

The following shows an example of an advanced extension. To add this extension to EJBCA create a new Extension on System Configuration>Custom Certificate Extensions and make sure the full class name is specified in the Class Path property and that the class is accessible on the classpath.

public class SomeAdvancedCertificateExtension extends CertificateExtension {
private static String PROPERTY_SOMEPROPERTY = "someproperty";
* The main method that should return a byte[] with the ASN.1 encoded data to be put
in the extension valud
* using the input data (optional) or defined properties (optional)
* @see
public byte[] getValueEncoded(EndEntityInformation userData, CA ca, CertificateProfile
certProfile, PublicKey userPublicKey,
PublicKey caPublicKey, CertificateValidity val )
throws CertificateExtentionConfigurationException, CertificateExtensionException {
try {
// Optionally get dynamic values for this extension
//String dynamicValue = userData.getExtendedinformation().getExtensionData
(getOID() + ".someotherproperty");
String value = getProperties().getProperty("FOO");
DERPrintableString asn1value = new DERPrintableString(value);
return asn1value.toASN1Primitive().getEncoded();
} catch (IOException e) {
throw new CertificateExtensionException("Error constructing certificate
extension SomeAdvancedCertificateExtension.", e);
* @deprecated use getValueEncoded instead.
public ASN1Encodable getValue(EndEntityInformation userData, CA ca, CertificateProfile
certProfile, PublicKey userPublicKey, PublicKey caPublicKey, CertificateValidity val)
throws CertificateExtensionException, CertificateExtentionConfigurationException {
throw new UnsupportedOperationException("Use getValueEncoded instead");