OpenSSL "req -new" - DN Fields for Personal Certificates

Q

How to use additional DN fields to create CSR for personal certificates?

✍: FYIcenter.com

A

You can set additional DN fields in the configuration file to allow OpenSSL "req -new" command to generate CSR for personal certificates. Additional DN fields are: emailAddress, name, surname, givenName, initials and dnQualifier.

The test below shows you how to use additional DN fields for personal certificates:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt

[my_req_dn_prompt]

# Addtional DN fields
emailAddress         = Email
emailAddress_default = john@it

givenName         = First Name
givenName_default = John

surname         = Last Name
surname_default = Smith

initials         = Initials
initials_default = JS

name         = Full Name
name_default = John Smith

dnQualifier         = DN Qualifier
dnQualifier_default = fyicenter.com

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Email [john@it]:
First Name [John]:
Last Name [Smith]:
Initials [JS]:
Full Name [John Smith]:
DN Qualifier [fyicenter.com]:

OpenSSL> req -in test.csr -subject -noout
subject=/emailAddress=john@it/GN=John/SN=Smith/initials=JS/name=John Smith
        /dnQualifier=fyicenter.com

As you can see from the output, the resulting subject identifies well John Smith from the IT department at FYIcenter.com. This is good enough for a personal certificate.

 

OpenSSL "req" - X509 V3 Extensions Configuration Options

OpenSSL "req -new" - Repeating DN Fields

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-27, 1354👍, 0💬