RE: How to create CSR with SN attribute
Is there a way with openssl to create a key/csr with SN attribute? As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with? You can do it. The 'trick' is that you have to have a default value, so put SN=unknown in the global section of your config file. Then in the [dn_req] for your request, you can do something like SN=$ENV::SN to get it from the $SN environment variable. There's lots of flexibility in the openssl config file; many levels of indirection, etc., possible with variables and $ENV constructs. Hope this helps. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to create CSR with SN attribute
On Mon, May 20, 2013 at 05:58:43PM +0200, Per Edlund wrote: Is there a way with openssl to create a key/csr with SN attribute? [dn_req] surname = Smith Likewise with the -subj option use: -subj /surname=Smith. or -subj /SN=Smith. As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with? Reading the man page is a start: man 1 req ... DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT ... The actual permitted field names are any object identifier short or long names. These are compiled into OpenSSL and include the usual values such as commonName, countryName, localityName, organizationName, organizationUnitName, stateOrProvinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. Additional object identifiers can be defined with the oid_file or oid_section options in the configuration file. Any additional fields will be treated as though they were a DirectoryString. $ openssl x509 -in cert.pem -subject subject= /SN=Dukhovni -BEGIN CERTIFICATE- MIIBnjCCAUWgAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQEEwhEdWtob3Zu aTAeFw0xMzA1MjAxNjExNDZaFw0xMzA2MTkxNjExNDZaMBMxETAPBgNVBAQTCER1 a2hvdm5pMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPftMa443p6qKRnMYv2VY Tj1B/B5d3L4o749Ta80D4FrlQnsY9IVCqxF88I9Z4MmdboWX9Q6KhhxNTvRG+3+3 +6OBiTCBhjAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjAdBgNVHQ4EFgQU966IxQjUmZhxj89v17bW5S5/3dAwHwYDVR0jBBgwFoAU966I xQjUmZhxj89v17bW5S5/3dAwGgYDVR0RBBMwEYIPZm9vLmV4YW1wbGUuY29tMAoG CCqGSM49BAMCA0cAMEQCIF9dsh6UP4w7xUp3iXk6T0maDRmQ5lIoLAD6hsf3qZx2 AiA/WVhlsDdtaoMymhwe6R+UR3UlRICw3lAXS49ErJDyCA== -END CERTIFICATE- -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to create CSR with SN attribute
Thanks On 20 maj 2013, at 18:13, Salz, Rich rs...@akamai.com wrote: Is there a way with openssl to create a key/csr with SN attribute? As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with? You can do it. The 'trick' is that you have to have a default value, so put SN=unknown in the global section of your config file. Then in the [dn_req] for your request, you can do something like SN=$ENV::SN to get it from the $SN environment variable. There's lots of flexibility in the openssl config file; many levels of indirection, etc., possible with variables and $ENV constructs. Hope this helps. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org