OpenSSL "req -new" - DN Fields for Personal Certificates
Q
How to use additional DN fields to create CSR for personal certificates?
✍: FYIcenter.com
A
You can set additional DN fields in the configuration file to allow OpenSSL "req -new"
command to generate CSR for personal certificates.
Additional DN fields are: emailAddress, name, surname, givenName, initials and dnQualifier.
The test below shows you how to use additional DN fields for personal certificates:
C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5
# default section for "req" command options
[req]
input_password = fyicenter
prompt = yes
distinguished_name = my_req_dn_prompt
[my_req_dn_prompt]
# Addtional DN fields
emailAddress = Email
emailAddress_default = john@it
givenName = First Name
givenName_default = John
surname = Last Name
surname_default = Smith
initials = Initials
initials_default = JS
name = Full Name
name_default = John Smith
dnQualifier = DN Qualifier
dnQualifier_default = fyicenter.com
C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Email [john@it]:
First Name [John]:
Last Name [Smith]:
Initials [JS]:
Full Name [John Smith]:
DN Qualifier [fyicenter.com]:
OpenSSL> req -in test.csr -subject -noout
subject=/emailAddress=john@it/GN=John/SN=Smith/initials=JS/name=John Smith
/dnQualifier=fyicenter.com
As you can see from the output, the resulting subject identifies well John Smith from the IT department at FYIcenter.com. This is good enough for a personal certificate.
⇒ OpenSSL "req" - X509 V3 Extensions Configuration Options
2016-10-27, 6333👍, 0💬
Related Topics:
