Collections:
Other Resources:
OpenSSL "req" - "prompt=yes" Mode with DN Validations
How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command?
✍: FYIcenter.com
If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you.
For example, "countryName_min=2" and "countryName_max=2" will limit the countryName value to 2 bytes only. If you enter "USA" at the countryName prompt, you will get an error.
Below is a test showing you how to use DN value length limits in the OpenSSL configuration file.
C:\Users\fyicenter>type test.cnf # unnamed section of generic options default_md = md5 # default section for "req" command options [req] input_password = fyicenter prompt = yes distinguished_name = my_req_dn_prompt [my_req_dn_prompt] # Minimum of 4 bytes are needed for common name commonName = Common Name commonName_min = 4 commonName_max = 32 # ISO2 country code only countryName = Country Name countryName_min = 2 countryName_max = 2 # State is optional, no minimum limit stateOrProvinceName = State stateOrProvinceName_max = 24 # City is required localityName = City localityName_min = 3 localityName_max = 24 # Organization is optional organizationName = Organization organizationName_max = 48 # Organization Unit is optional organizationalUnitName = Department organizationalUnitName_max = 48 # Email is optional emailAddress = Email emailAddress_max = 48 C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name []:FYI string is too short, it needs to be at least 4 bytes long Common Name []:FYIcenter.com CA Country Name []:USA string is too long, it needs to be less than 2 bytes long Country Name []:US State []:NY City []:New York Organization []:FYIcenter.com Department []:IT Email []:ca@fyicenter.com
As you can see from the test, setting DN value length limits helps OpenSSL "req -new" command to prompt for the user to enter correct DN values.
⇒ OpenSSL "req" - "prompt=yes" Mode with DN Defaults
2016-10-30, 2536🔥, 0💬
Popular Posts:
Certificate Summary: Subject: *.know-where.com Issuer: Entrust Certification Authority - L1C Expirat...
How to install Mozilla "certutil" tool for Windows? I have nss-3.10.zip and nspr-4.6.zip download on...
Certificate summary - Owner: ssl4092.cloudflare.com, "CloudFlare, Inc.", L=San Francisco, ST=CA, US ...
What is PKCS (Public-Key Cryptography Standards) #7? What is it used for? PKCS (Public-Key Cryptogra...
Certificate Summary: Subject: Cybertrust Global Root Issuer: Cybertrust Global Root Expiration: 2021...