What is the distinguished_name section in the OpenSSL configuration file?

The distinguished_name section in the OpenSSL configuration file is a required section of options when using OpenSSL "req -new" or "req -newkey" commands to generate a new CSR or self-signed certificate.

distinguished_name sections provides options to control the behavior of the following two groups of DN (Distinguished Name) fields.

1. Standard DN fields:

• commonName (or CN) - Common name of the subject.
• countryName (or C) - ISO2 code of the country where the subject is located.
• stateOrProvinceName (or ST) - State or province name where the subject is located.
• localityName (or L) - Locality, like city, name where the subject is located.
• organizationName (or O) - Organization name which the subject belongs to.
• organizationalUnitName (or OU) - Organization unit name which the subject belongs to.

2. Additional DN fields:

• name - Name of the subject.
• surname - Last name of the subject.
• givenName - First name of the subject.
• initials - Intitials of the subject.
• emailAddress - Email address of the subject.
• dnQualifier - Distinguished Name Qualifier of the subject.

There are 2 modes to use when writing distinguished_name section in the configuration file:

1. "prompt=no" mode - This mode tells OpenSSL to not prompt user for distinguished name fields. It will read distinguished_name section as values for DN fields, instead of field prompting labels.

For example: "countryName=US" tells OpenSSL to use "US" as the countryName value.

2. "prompt=yes" mode - This mode tells OpenSSL to prompt user for distinguished name fields. It will read distinguished_name section as prompting labels for DN fields, instead of field values.

For example: "countryName=Country ISO2 Code" tells OpenSSL to use "Country ISO2 Code []:" to prompt the user to enter the countryName value.

⇒ OpenSSL "req" - "prompt=no" Mode

⇐ OpenSSL "req -config" - Using Configuration File

⇑ OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials