OpenSSL "req -new" - CSR Attributes
How to add attributes in new CSR using OpenSSL "req -new" command? I was asked to create a CSR with a challenge password an attribute.
✍: FYIcenter.com
In order to add attributes to new CSR created by the OpenSSL "req -new" command,
first you need to write attribute options in a named section in the configuration file.
For example:
[my_req_attributes] challengePassword = Challenge password for CSR challengePassword_min = 4 challengePassword_max = 20 unstructuredName = Other notes for CSR unstructuredName_max = 64
Then you can use the "attributes" option in the [req] section to link the [my_req_attributes] the the "req -new" command. For example:
[req] input_password = fyicenter attributes = my_req_attributes ... [my_req_attributes] ...
The test below shows you how to add attributes into a CSR:
C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5
# default section for "req" command options
[req]
default_bits = 1024
input_password = fyicenter
prompt = yes
distinguished_name = my_req_dn_prompt
attributes = my_req_attributes
# section for DN fields
[my_req_dn_prompt]
emailAddress = Email
emailAddress_default = john@it.fyicenter.com
# section for attributes to included in CSR
[my_req_attributes]
challengePassword = Challenge password for CSR
challengePassword_default = fyicenter
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = Other notes for CSR
unstructuredName_default = Urgently needed
unstructuredName_max = 64
C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Email [john@it.fyicenter.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
Challenge password for CSR [fyicenter]:
Other notes for CSR [Urgently needed]:
OpenSSL> req -in test.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: emailAddress=john@it.fyicenter.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:70:cd:16:29:62:cb:5d:70:5b:5f:45:bb:34:
d4:fb:dd:dd:c7:e3:68:3c:2f:8b:06:0a:71:20:bd:
ff:94:98:e4:33:51:f7:08:a2:86:6f:fd:08:51:9b:
06:28:8d:48:f3:0f:23:a3:67:bf:e7:b0:9d:a7:2d:
f8:85:2c:9b:be:4f:44:62:71:de:e6:0e:52:9b:e0:
37:a5:93:54:84:3c:58:87:c7:53:bd:6a:51:70:55:
93:dd:58:7d:73:7e:01:1b:19:f0:36:be:bc:b4:20:
7c:82:e1:ff:89:b6:83:e3:7a:5a:11:e7:27:e3:bf:
02:5f:5a:b7:25:a0:c7:58:5f
Exponent: 65537 (0x10001)
Attributes:
unstructuredName :unable to print attribute
challengePassword :unable to print attribute
Signature Algorithm: md5WithRSAEncryption
45:ad:36:c9:13:1b:75:ff:84:e6:6b:e9:69:92:32:95:2f:cb:
a3:36:69:85:95:c4:73:c9:90:ab:44:d1:0e:d8:3d:04:11:4b:
62:4e:c8:97:44:4a:3c:93:92:0d:16:57:ba:ed:fb:fc:c4:f1:
76:aa:e0:e6:d2:05:33:b7:60:a0:d7:e8:0a:aa:95:da:39:dd:
df:be:c4:86:d5:3c:34:78:a5:62:1b:49:cf:96:79:95:1d:55:
a5:dd:b0:10:a6:73:18:2d:98:70:08:d3:d4:c1:6d:c0:d4:c8:
68:f6:2d:b6:4b:97:3c:70:34:df:7e:e2:aa:48:38:a5:41:4f:
1c:94
As you can see from the output, attributes are prompted and included in the CSR.
By the way, if "prompt=no", attributes options are taken as values instead of prompting labels.
⇒ OpenSSL "req" - Good Sample openssl.conf
⇐ OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions
2016-09-23, ≈12🔥, 0💬
Related Topics:
