KB Article #178440

What is the meaning of the numbers (OIDs) found in the extensions of API Gateway topology certificates?

Question

Looking at the Admin Node Manager Certificate Extensions we find the following:


X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Key Encipherment, Data Encipherment, Key Agreement

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.4.1.17998.10.1.1.2.1, 1.3.6.1.4.1.17998.10.1.1.2.2

X509v3 Subject Alternative Name:

DNS:myserver.axway.int, IP Address:10.142.59.3


What is the meaning of the strange numbers listed in the X509v3 Extended Key Usage?


Answer

These are called object identifiers (OIDs). They work as a type of hierarchical magic number that tells you things about the certificate. There are three OIDs that you can find in topology certificates:


ADMIN_NODE_MANAGER_OID = "1.3.6.1.4.1.17998.10.1.1.2.2"
NODE_MANAGER_OID = "1.3.6.1.4.1.17998.10.1.1.2.1"
GATEWAY_OID = "1.3.6.1.4.1.17998.10.1.1.2.3"


Admin Node Manager (ANM) certificates will contain both the ADMIN_NODE_MANAGER_OID and the NODE_MANAGER_OID, regular Node Manager (NM) certificates will have only the NODE_MANAGER_OID on them, while gateway instances will have only the GATEWAY_OID attached to their certificates.


In particular, the ADMIN_NODE_MANAGER_OID is important for ANM functionality. If the certificate is regenerated without this OID, 8090 will not start up and the node will not act as an ANM and will effectively demote itself to a local NM. That sort of problem may happen when the managedomain command is used to create certificate signing requests (CSRs) that are sent to the CA for signing and the CA does not include the requested OIDs in the resulting certificate.


Be advised that issuing a CSR on some CAs, in particular Microsoft CA, with a custom OID requires the creation of templates by the administrator of CA in order to get the topology certs issued correctly. Additionally, many public CAs are also unwilling to issue certs with custom OIDs.