Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (83)
EC Keys (2461)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (6619)
Revoked Certificates (16)
Root CA (85)
RSA Keys (5332)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL "req" - "prompt=yes" Mode with DN Validations
How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command?
✍: FYIcenter.com
If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you.
For example, "countryName_min=2" and "countryName_max=2" will limit the countryName value to 2 bytes only. If you enter "USA" at the countryName prompt, you will get an error.
Below is a test showing you how to use DN value length limits in the OpenSSL configuration file.
C:\Users\fyicenter>type test.cnf # unnamed section of generic options default_md = md5 # default section for "req" command options [req] input_password = fyicenter prompt = yes distinguished_name = my_req_dn_prompt [my_req_dn_prompt] # Minimum of 4 bytes are needed for common name commonName = Common Name commonName_min = 4 commonName_max = 32 # ISO2 country code only countryName = Country Name countryName_min = 2 countryName_max = 2 # State is optional, no minimum limit stateOrProvinceName = State stateOrProvinceName_max = 24 # City is required localityName = City localityName_min = 3 localityName_max = 24 # Organization is optional organizationName = Organization organizationName_max = 48 # Organization Unit is optional organizationalUnitName = Department organizationalUnitName_max = 48 # Email is optional emailAddress = Email emailAddress_max = 48 C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name []:FYI string is too short, it needs to be at least 4 bytes long Common Name []:FYIcenter.com CA Country Name []:USA string is too long, it needs to be less than 2 bytes long Country Name []:US State []:NY City []:New York Organization []:FYIcenter.com Department []:IT Email []:ca@fyicenter.com
As you can see from the test, setting DN value length limits helps OpenSSL "req -new" command to prompt for the user to enter correct DN values.
⇒ OpenSSL "req" - "prompt=yes" Mode with DN Defaults
2016-10-30, 2294🔥, 0💬
Popular Posts:
Certificate Summary: Subject: niord-test.dma.dk Issuer: MaritimeCloud Test Identity Registry Expirat...
Why I am getting an error: "CryptoException: Could not save keystore"? when exporting my 4096-bit ke...
Certificate summary - Owner: *.adf.ly, Domain Control Validated Issuer: SERIALNUMBER=07969287, Go Da...
Certificate summary - Owner: www.orange.fr, Orange France, France Telecom SA, L=Paris, ST=France, FR...
Certificate summary - Owner: *.rambler.ru, IT Department, "Rambler Internet Holdings, LLC", L=Moscow...