OpenSSL "req -new" - Repeating DN Fields

Q

Can I repeat a DN field multiple times in the configuration file for the OpenSSL "req -new" command?

✍: FYIcenter.com

A

Yes, you can repeat a DN (Distinguished Name) field multiple times in the configuration file. This can be done by prefix the DN field name with "0.", "1.", and so on.

For example. "0.emailAddress=Email #1" and "1.emailAddress=Email #2" in the configuration file will prompt for the emailAddress twice.

The test below shows you an example of repeating DN fields multiple times:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt

[my_req_dn_prompt]

# Minimum of 4 bytes are needed for common name
commonName         = Common Name
commonName_default = FYIcenter.com CA

# ISO2 country code only
countryName         = Country Name
countryName_default = US

# State is optional, no minimum limit
stateOrProvinceName         = State
stateOrProvinceName_default = NY

# City is required
localityName         = City
localityName_default = New York

# Organization is optional
organizationName         = Organization
organizationName_default = FYIcenter.com

# Organization Unit is optional
0.organizationalUnitName         = Department #1
0.organizationalUnitName_default = IT
1.organizationalUnitName         = Department #2
1.organizationalUnitName_default = Security

# Email is optional
0.emailAddress         = Email #1
0.emailAddress_default = ca@fyicenter.com
1.emailAddress         = Email #2
1.emailAddress_default = help@fyicenter.com

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name [FYIcenter.com CA]:
Country Name [US]:
State [NY]:
City [New York]:
Organization [FYIcenter.com]:
Department [IT]:
Department [Security]:
Email [ca@fyicenter.com]:
Email [help@fyicenter.com]:

OpenSSL> req -in test.csr -subject -noout
subject=/CN=FYIcenter.com CA/C=US/ST=NY/L=New York/O=FYIcenter.com/OU=IT
        /OU=Security/emailAddress=ca@fyicenter.com/emailAddress=help@fyicenter.com

As you can see from the output of the test, OU (organizationalUnitName) and emailAddress are both repeated twice.

 

OpenSSL "req -new" - DN Fields for Personal Certificates

OpenSSL "req -new" - "no objects specified in config file" Error

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-27, 998👍, 0💬