Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (83)
EC Keys (2389)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (6528)
Revoked Certificates (16)
Root CA (85)
RSA Keys (5269)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL "req -new" - CSR Attributes
How to add attributes in new CSR using OpenSSL "req -new" command? I was asked to create a CSR with a challenge password an attribute.
✍: FYIcenter.com
In order to add attributes to new CSR created by the OpenSSL "req -new" command, first you need to write attribute options in a named section in the configuration file. For example:
[my_req_attributes] challengePassword = Challenge password for CSR challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_max = 64
Then you can use the "attributes" option in the [req] section to link the [my_req_attributes] the the "req -new" command. For example:
[req] input_password = fyicenter attributes = my_req_attributes ... [my_req_attributes] ...
The test below shows you how to add attributes into a CSR:
C:\Users\fyicenter>type test.cnf # unnamed section of generic options default_md = md5 # default section for "req" command options [req] default_bits = 1024 input_password = fyicenter prompt = yes distinguished_name = my_req_dn_prompt attributes = my_req_attributes # section for DN fields [my_req_dn_prompt] emailAddress = Email emailAddress_default = john@it.fyicenter.com # section for attributes to included in CSR [my_req_attributes] challengePassword = Challenge password for CSR challengePassword_default = fyicenter challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_default = Urgently needed unstructuredName_max = 64 C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Email [john@it.fyicenter.com]: Please enter the following 'extra' attributes to be sent with your certificate request Challenge password for CSR [fyicenter]: Other notes for CSR [Urgently needed]: OpenSSL> req -in test.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: emailAddress=john@it.fyicenter.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c2:70:cd:16:29:62:cb:5d:70:5b:5f:45:bb:34: d4:fb:dd:dd:c7:e3:68:3c:2f:8b:06:0a:71:20:bd: ff:94:98:e4:33:51:f7:08:a2:86:6f:fd:08:51:9b: 06:28:8d:48:f3:0f:23:a3:67:bf:e7:b0:9d:a7:2d: f8:85:2c:9b:be:4f:44:62:71:de:e6:0e:52:9b:e0: 37:a5:93:54:84:3c:58:87:c7:53:bd:6a:51:70:55: 93:dd:58:7d:73:7e:01:1b:19:f0:36:be:bc:b4:20: 7c:82:e1:ff:89:b6:83:e3:7a:5a:11:e7:27:e3:bf: 02:5f:5a:b7:25:a0:c7:58:5f Exponent: 65537 (0x10001) Attributes: unstructuredName :unable to print attribute challengePassword :unable to print attribute Signature Algorithm: md5WithRSAEncryption 45:ad:36:c9:13:1b:75:ff:84:e6:6b:e9:69:92:32:95:2f:cb: a3:36:69:85:95:c4:73:c9:90:ab:44:d1:0e:d8:3d:04:11:4b: 62:4e:c8:97:44:4a:3c:93:92:0d:16:57:ba:ed:fb:fc:c4:f1: 76:aa:e0:e6:d2:05:33:b7:60:a0:d7:e8:0a:aa:95:da:39:dd: df:be:c4:86:d5:3c:34:78:a5:62:1b:49:cf:96:79:95:1d:55: a5:dd:b0:10:a6:73:18:2d:98:70:08:d3:d4:c1:6d:c0:d4:c8: 68:f6:2d:b6:4b:97:3c:70:34:df:7e:e2:aa:48:38:a5:41:4f: 1c:94
As you can see from the output, attributes are prompted and included in the CSR.
By the way, if "prompt=no", attributes options are taken as values instead of prompting labels.
⇒ OpenSSL "req" - Good Sample openssl.conf
⇐ OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions
2016-09-23, 10827👍, 0💬
Popular Posts:
Certificate summary - Owner: USERTrust Legacy Secure Server CA, The USERTRUST Network, L=Salt Lake C...
Certificate summary - Owner: *.myntra.com, Domain Control Validated Issuer: SERIALNUMBER=07969287, G...
Where to find tutorials on using OpenSSL "genpkey" and "pkey" commands for EC private keys? Here is ...
Certificate Summary: Subject: DO_NOT_TRUST_FiddlerRoot Issuer: DO_NOT_TRUST_FiddlerRoot Expiration: ...
Certificate summary - Owner: *.github.com, "GitHub, Inc.", L=San Francisco, ST=California, US Issuer...