OpenSSL "req -new" - Repeating DN Fields

Q

Can I repeat a DN field multiple times in the configuration file for the OpenSSL "req -new" command?

✍: FYIcenter.com

A

Yes, you can repeat a DN (Distinguished Name) field multiple times in the configuration file. This can be done by prefix the DN field name with "0.", "1.", and so on.

For example. "0.emailAddress=Email #1" and "1.emailAddress=Email #2" in the configuration file will prompt for the emailAddress twice.

The test below shows you an example of repeating DN fields multiple times:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt

[my_req_dn_prompt]

# Minimum of 4 bytes are needed for common name
commonName         = Common Name
commonName_default = FYIcenter.com CA

# ISO2 country code only
countryName         = Country Name
countryName_default = US

# State is optional, no minimum limit
stateOrProvinceName         = State
stateOrProvinceName_default = NY

# City is required
localityName         = City
localityName_default = New York

# Organization is optional
organizationName         = Organization
organizationName_default = FYIcenter.com

# Organization Unit is optional
0.organizationalUnitName         = Department #1
0.organizationalUnitName_default = IT
1.organizationalUnitName         = Department #2
1.organizationalUnitName_default = Security

# Email is optional
0.emailAddress         = Email #1
0.emailAddress_default = ca@fyicenter.com
1.emailAddress         = Email #2
1.emailAddress_default = help@fyicenter.com

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name [FYIcenter.com CA]:
Country Name [US]:
State [NY]:
City [New York]:
Organization [FYIcenter.com]:
Department [IT]:
Department [Security]:
Email [ca@fyicenter.com]:
Email [help@fyicenter.com]:

OpenSSL> req -in test.csr -subject -noout
subject=/CN=FYIcenter.com CA/C=US/ST=NY/L=New York/O=FYIcenter.com/OU=IT
        /OU=Security/emailAddress=ca@fyicenter.com/emailAddress=help@fyicenter.com

As you can see from the output of the test, OU (organizationalUnitName) and emailAddress are both repeated twice.

⇒ OpenSSL "req -new" - DN Fields for Personal Certificates

⇐ OpenSSL "req -new" - "no objects specified in config file" Error

⇑ OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-27, ∼4050🔥, 0💬

OpenSSL "req -new -reqexts" - Specify CSR V3 Extensions
How to specify x.509 v3 extensions options in the configuration file for generating CSR using the OpenSSL "req" command? You can use x.509 v3 extensions options when using OpenSSL "req -new" command to generate a CSR (Certificate Signing Request). The provided x509 extensions will be included in the... 2016-10-25, ≈14🔥, 0💬

OpenSSL "req" - X509 V3 Extensions Configuration Options
What are X509 V3 extensions options in the configuration file for the OpenSSL "req" command? X509 V3 extensions options in the configuration file allows you to add extension properties into x.509 v3 certificate when you use OpenSSL commands to generate CSR and self-signed certificates. X509 V3 exten... 2016-10-26, ≈12🔥, 0💬

OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions
How to specify x.509 v5 extensions options in the configuration file for generating self-signed certificate using the OpenSSL "req -x509" command? You can use x.509 v3 extensions options when using OpenSSL "req -x509" command to generate a self-signed certificate. The provided x509 extensions will b... 2016-10-25, ∼8049🔥, 0💬

OpenSSL "req -new" - DN Fields for Personal Certificates
How to use additional DN fields to create CSR for personal certificates? You can set additional DN fields in the configuration file to allow OpenSSL "req -new" command to generate CSR for personal certificates. Additional DN fields are: emailAddress, name, surname, givenName, initials and dnQualifie... 2016-10-27, ∼7600🔥, 0💬

OpenSSL "req" - "prompt=yes" Mode
How to use the "prompt=yes" mode of the OpenSSL "req -new" command? I want to enter DN values at the command prompt. You can use "prompt=yes" mode of the OpenSSL "req -new" command as shown below, if you set "prompt=yes" and provide DN (Distinguished Name) field prompts in the configuration file. C:... 2016-10-30, ∼6375🔥, 0💬

OpenSSL "req" - "prompt=yes" Mode with DN Defaults
How to specify DN value defaults when using the "prompt=yes" mode of the OpenSSL "req -new" command? If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) default values in the configuration file. OpenSSL will prompt the user for DN fields with default values. The user can pre... 2016-10-29, ∼5736🔥, 0💬

OpenSSL "req new -batch" - Using DN Default Values Only
How to run OpenSSL "req -new" command in batch mode? I don't OpenSSL to use DN default values only and do not prompt me. If you have DN (Distinguished Name) default values provided in the configuration file, you can run OpenSSl "req -new -batch" command to take default values only without prompt as ... 2016-10-29, ∼5184🔥, 0💬

OpenSSL "req -new" - Repeating DN Fields
Can I repeat a DN field multiple times in the configuration file for the OpenSSL "req -new" command? Yes, you can repeat a DN (Distinguished Name) field multiple times in the configuration file. This can be done by prefix the DN field name with "0.", "1.", and so on. For example. "0.emailAddress=Ema... 2016-10-27, ∼4051🔥, 0💬

OpenSSL "req -new -reqexts" - Test CSR V3 Extensions
How to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions? I have req_extensions option defined in the configuration file. If you want to run OpenSSL "req -new" command to generate CSR with x.509 v3 extensions, you can follow this example: C:\Users\fyicenter>type test.cnf... 2016-10-25, ∼3649🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.