OpenSSL "req" - distinguished_name Configuration Section

Q

What is the distinguished_name section in the OpenSSL configuration file?

✍: FYIcenter.com

A

The distinguished_name section in the OpenSSL configuration file is a required section of options when using OpenSSL "req -new" or "req -newkey" commands to generate a new CSR or self-signed certificate.

distinguished_name sections provides options to control the behavior of the following two groups of DN (Distinguished Name) fields.

1. Standard DN fields:

commonName (or CN) - Common name of the subject.
countryName (or C) - ISO2 code of the country where the subject is located.
stateOrProvinceName (or ST) - State or province name where the subject is located.
localityName (or L) - Locality, like city, name where the subject is located.
organizationName (or O) - Organization name which the subject belongs to.
organizationalUnitName (or OU) - Organization unit name which the subject belongs to.

2. Additional DN fields:

name - Name of the subject.
surname - Last name of the subject.
givenName - First name of the subject.
initials - Intitials of the subject.
emailAddress - Email address of the subject.
dnQualifier - Distinguished Name Qualifier of the subject.

There are 2 modes to use when writing distinguished_name section in the configuration file:

1. "prompt=no" mode - This mode tells OpenSSL to not prompt user for distinguished name fields. It will read distinguished_name section as values for DN fields, instead of field prompting labels.

For example: "countryName=US" tells OpenSSL to use "US" as the countryName value.

2. "prompt=yes" mode - This mode tells OpenSSL to prompt user for distinguished name fields. It will read distinguished_name section as prompting labels for DN fields, instead of field values.

For example: "countryName=Country ISO2 Code" tells OpenSSL to use "Country ISO2 Code []:" to prompt the user to enter the countryName value.

⇒ OpenSSL "req" - "prompt=no" Mode

⇐ OpenSSL "req -config" - Using Configuration File

⇑ OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-02, 14715👍, 0💬

OpenSSL "req -x509 -set_serial" - Certificate Serial Number
Can I sign my own CSR with a given serial number using the OpenSSL "req -x509" command? Yes, you can sign you own CSR (Certificate Sign Request) with a given serial number using the OpenSSL "req -x509 -set_serial" command as shown below. Without the "-set_serial" option, the resulting certificate wi... 2016-11-11, 12685👍, 0💬

OpenSSL "req" - "prompt=no" Mode
How to use the "prompt=no" mode of the OpenSSL "req -new" command? I want to specify DN field values directly in the configuration file. You can use "prompt=no" mode of the OpenSSL "req -new" command as shown below, if you set "prompt=no" and provide DN (Distinguished Name) field values in the confi... 2016-11-02, 5501👍, 0💬

OpenSSL "req -config" - Using Configuration File
Can I use my own configuration file when running "req" command? Yes, you can specify your own configuration file using the "-config file" option when running the "req" command. OpenSSL configuration file allows you to control the behavior of the "req" command with the following options: utf8 - If se... 2016-11-03, 5498👍, 0💬

OpenSSL "req new -batch" - Using DN Default Values Only
How to run OpenSSL "req -new" command in batch mode? I don't OpenSSL to use DN default values only and do not prompt me. If you have DN (Distinguished Name) default values provided in the configuration file, you can run OpenSSl "req -new -batch" command to take default values only without prompt as ... 2016-10-29, 2665👍, 0💬

OpenSSL "req" - "prompt=yes" Mode
How to use the "prompt=yes" mode of the OpenSSL "req -new" command? I want to enter DN values at the command prompt. You can use "prompt=yes" mode of the OpenSSL "req -new" command as shown below, if you set "prompt=yes" and provide DN (Distinguished Name) field prompts in the configuration file. C:... 2016-10-30, 2638👍, 0💬

OpenSSL "req -x509 -md5" - MD5 Digest for Signing
Can I using MD5 digest algorithm when generating a self-signed certificate using the OpenSSL "req -x509" command? Yes, you can use MD5 digest algorithm when generating a self-signed certificate using the OpenSSL "req -x509 -md5" command Without the "-md5" option, the default SHA256 digest algorithm ... 2016-11-05, 2582👍, 0💬

OpenSSL "req" - "prompt=yes" Mode with DN Defaults
How to specify DN value defaults when using the "prompt=yes" mode of the OpenSSL "req -new" command? If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) default values in the configuration file. OpenSSL will prompt the user for DN fields with default values. The user can pre... 2016-10-29, 2490👍, 0💬

OpenSSL "req" - "prompt=yes" Mode with DN Validations
How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command? If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you. For ... 2016-10-30, 1751👍, 0💬

OpenSSL Not Validate Signature in Self-Signed Certificate
Does OpenSSL "verify" command really validate the digital signature in a self-signed certificate? No, OpenSSL "verify" command does not validate the digital signature in a self-signed certificate. In the following test, a CSR with an RSA public key was "self-signed" by the OpenSSL "req -x509" comman... 2016-11-03, 1573👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.