OpenSSL "req -new" - CSR Attributes

Q

How to add attributes in new CSR using OpenSSL "req -new" command? I was asked to create a CSR with a challenge password an attribute.

✍: FYIcenter.com

A

In order to add attributes to new CSR created by the OpenSSL "req -new" command, first you need to write attribute options in a named section in the configuration file. For example:

[my_req_attributes]
challengePassword     = Challenge password for CSR
challengePassword_min = 4
challengePassword_max = 20
 
unstructuredName      = Other notes for CSR
unstructuredName_max  = 64

Then you can use the "attributes" option in the [req] section to link the [my_req_attributes] the the "req -new" command. For example:

[req]
input_password  = fyicenter
attributes      = my_req_attributes
...

[my_req_attributes] 
...

The test below shows you how to add attributes into a CSR:

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
default_bits       = 1024
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt
attributes         = my_req_attributes

# section for DN fields
[my_req_dn_prompt]
emailAddress         = Email
emailAddress_default = john@it.fyicenter.com

# section for attributes to included in CSR
[my_req_attributes]
challengePassword         = Challenge password for CSR
challengePassword_default = fyicenter
challengePassword_min     = 4
challengePassword_max     = 20

unstructuredName         = Other notes for CSR
unstructuredName_default = Urgently needed
unstructuredName_max     = 64

C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Email [john@it.fyicenter.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
Challenge password for CSR [fyicenter]:
Other notes for CSR [Urgently needed]:

OpenSSL> req -in test.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=john@it.fyicenter.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c2:70:cd:16:29:62:cb:5d:70:5b:5f:45:bb:34:
                    d4:fb:dd:dd:c7:e3:68:3c:2f:8b:06:0a:71:20:bd:
                    ff:94:98:e4:33:51:f7:08:a2:86:6f:fd:08:51:9b:
                    06:28:8d:48:f3:0f:23:a3:67:bf:e7:b0:9d:a7:2d:
                    f8:85:2c:9b:be:4f:44:62:71:de:e6:0e:52:9b:e0:
                    37:a5:93:54:84:3c:58:87:c7:53:bd:6a:51:70:55:
                    93:dd:58:7d:73:7e:01:1b:19:f0:36:be:bc:b4:20:
                    7c:82:e1:ff:89:b6:83:e3:7a:5a:11:e7:27:e3:bf:
                    02:5f:5a:b7:25:a0:c7:58:5f
                Exponent: 65537 (0x10001)
        Attributes:
            unstructuredName         :unable to print attribute
            challengePassword        :unable to print attribute
    Signature Algorithm: md5WithRSAEncryption
         45:ad:36:c9:13:1b:75:ff:84:e6:6b:e9:69:92:32:95:2f:cb:
         a3:36:69:85:95:c4:73:c9:90:ab:44:d1:0e:d8:3d:04:11:4b:
         62:4e:c8:97:44:4a:3c:93:92:0d:16:57:ba:ed:fb:fc:c4:f1:
         76:aa:e0:e6:d2:05:33:b7:60:a0:d7:e8:0a:aa:95:da:39:dd:
         df:be:c4:86:d5:3c:34:78:a5:62:1b:49:cf:96:79:95:1d:55:
         a5:dd:b0:10:a6:73:18:2d:98:70:08:d3:d4:c1:6d:c0:d4:c8:
         68:f6:2d:b6:4b:97:3c:70:34:df:7e:e2:aa:48:38:a5:41:4f:
         1c:94

As you can see from the output, attributes are prompted and included in the CSR.

By the way, if "prompt=no", attributes options are taken as values instead of prompting labels.

 

OpenSSL "req" - Good Sample openssl.conf

OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-09-23, 1902👍, 0💬