Custom Subject DN and altName OIDs

EJBCA supports custom OIDs in DN components. To add your own customized DN, call the DN, for example:

CN=MyCommonName,,C=SE Where is your custom OID

Note that custom OIDs are always encoded as UTF8String in the DN.

To enable support for custom OIDs in the Admin GUI, edit the file src/java/ and add your new OID at the end of the file. Follow the example in the file to add your OID in the End Entity Profile, and add new users. After updating the, always edit the appropriate language properties file modules/admin-gui/resources/languages/languagefile.<your language>.properties and add the last field in the file, i.e. the LanguageConstant. This is required in order to avoid that your new field is displayed in the Admin GUI as the key you entered.

By default, EJBCA places unknown OIDs at the end. For example, the DN can be displayed as CN=MyCommonName,C=SE, (if looking at the ASN.1 encoding, different applications display in a different order regardless of the ASN.1 encoding). To control the ASN.1 ordering of DN elements, add a file named in the directory ejbca/src/java. The file in the distribution displays the default order in EJBCA and can be used as an example. Note that your custom OID must be ordered in the correct place in the file and the file must include all components from the sample file. Also note that you can control the order also in the certificate profile, via the Custom Subject DN Order field. After updating the file, runt ant clean before re-deploying EJBCA.

If using custom OIDs, they better not become standard ones later on, because if the underlying ASN.1 library in EJBCA starts to know the OIDs as standard ones, things will be renamed in the database and you will have to do a database migration. Additionally, you must consider your customizations when upgrading EJBCA and keep track of


Adding custom OIDs in altNames works the same way as for DN. Using a custom OID, the altName string in the database can, for example, be, A Custom OID is always added as OtherName using a simple UTF8String. For more information on the definition of the OtherName altName, see RFC 5280.

The OtherName consists of:

  • The custom OID

  • An UTF8String with the value