Collections:
Other Resources:
OpenSSL "req -new" - CSR Attributes
How to add attributes in new CSR using OpenSSL "req -new" command? I was asked to create a CSR with a challenge password an attribute.
✍: FYIcenter.com
In order to add attributes to new CSR created by the OpenSSL "req -new" command, first you need to write attribute options in a named section in the configuration file. For example:
[my_req_attributes] challengePassword = Challenge password for CSR challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_max = 64
Then you can use the "attributes" option in the [req] section to link the [my_req_attributes] the the "req -new" command. For example:
[req] input_password = fyicenter attributes = my_req_attributes ... [my_req_attributes] ...
The test below shows you how to add attributes into a CSR:
C:\Users\fyicenter>type test.cnf # unnamed section of generic options default_md = md5 # default section for "req" command options [req] default_bits = 1024 input_password = fyicenter prompt = yes distinguished_name = my_req_dn_prompt attributes = my_req_attributes # section for DN fields [my_req_dn_prompt] emailAddress = Email emailAddress_default = john@it.fyicenter.com # section for attributes to included in CSR [my_req_attributes] challengePassword = Challenge password for CSR challengePassword_default = fyicenter challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_default = Urgently needed unstructuredName_max = 64 C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Email [john@it.fyicenter.com]: Please enter the following 'extra' attributes to be sent with your certificate request Challenge password for CSR [fyicenter]: Other notes for CSR [Urgently needed]: OpenSSL> req -in test.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: emailAddress=john@it.fyicenter.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c2:70:cd:16:29:62:cb:5d:70:5b:5f:45:bb:34: d4:fb:dd:dd:c7:e3:68:3c:2f:8b:06:0a:71:20:bd: ff:94:98:e4:33:51:f7:08:a2:86:6f:fd:08:51:9b: 06:28:8d:48:f3:0f:23:a3:67:bf:e7:b0:9d:a7:2d: f8:85:2c:9b:be:4f:44:62:71:de:e6:0e:52:9b:e0: 37:a5:93:54:84:3c:58:87:c7:53:bd:6a:51:70:55: 93:dd:58:7d:73:7e:01:1b:19:f0:36:be:bc:b4:20: 7c:82:e1:ff:89:b6:83:e3:7a:5a:11:e7:27:e3:bf: 02:5f:5a:b7:25:a0:c7:58:5f Exponent: 65537 (0x10001) Attributes: unstructuredName :unable to print attribute challengePassword :unable to print attribute Signature Algorithm: md5WithRSAEncryption 45:ad:36:c9:13:1b:75:ff:84:e6:6b:e9:69:92:32:95:2f:cb: a3:36:69:85:95:c4:73:c9:90:ab:44:d1:0e:d8:3d:04:11:4b: 62:4e:c8:97:44:4a:3c:93:92:0d:16:57:ba:ed:fb:fc:c4:f1: 76:aa:e0:e6:d2:05:33:b7:60:a0:d7:e8:0a:aa:95:da:39:dd: df:be:c4:86:d5:3c:34:78:a5:62:1b:49:cf:96:79:95:1d:55: a5:dd:b0:10:a6:73:18:2d:98:70:08:d3:d4:c1:6d:c0:d4:c8: 68:f6:2d:b6:4b:97:3c:70:34:df:7e:e2:aa:48:38:a5:41:4f: 1c:94
As you can see from the output, attributes are prompted and included in the CSR.
By the way, if "prompt=no", attributes options are taken as values instead of prompting labels.
⇒ OpenSSL "req" - Good Sample openssl.conf
⇐ OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions
2016-09-23, 11308🔥, 0💬
Popular Posts:
Certificate Summary: Subject: www.amazon.cn Issuer: VeriSign Class 3 Secure Server CA - G3 Expiratio...
Certificate summary - Owner: COMODO Extended Validation Secure Server CA 2, COMODO CA Limited, L=Sal...
Certificate summary - Owner: shop-pro.jp, "paperboy&co.,Inc.", STREET=26-1 Sakuragaoka-cho, L=Sh...
How to export a Root CA certificate from IE? I want to save a copy before removing the certificate. ...
Certificate summary - Owner: *.acesse.com, Domain Control Validated Issuer: SERIALNUMBER=07969287, G...