Discussion:
How to create CSR with SN attribute
Per Edlund
2013-05-20 15:58:43 UTC
Permalink
Hi!

Is there a way with openssl to create a key/csr with SN attribute?

As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with?

Kind regards
/Per
Salz, Rich
2013-05-20 16:13:44 UTC
Permalink
Post by Per Edlund
Is there a way with openssl to create a key/csr with SN attribute?
As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with?
You can do it. The 'trick' is that you have to have a default value, so put "SN=unknown" in the global section of your config file. Then in the "[dn_req]" for your request, you can do something like "SN=$ENV::SN" to get it from the $SN environment variable.

There's lots of flexibility in the openssl config file; many levels of indirection, etc., possible with variables and $ENV constructs.

Hope this helps.

/r$

--
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Per Edlund
2013-05-20 22:44:32 UTC
Permalink
Thanks
Post by Salz, Rich
Post by Per Edlund
Is there a way with openssl to create a key/csr with SN attribute?
As I can see, only CN, O, OU etc are available. If not with openssl, does anyone know another tool to create this with?
You can do it. The 'trick' is that you have to have a default value, so put "SN=unknown" in the global section of your config file. Then in the "[dn_req]" for your request, you can do something like "SN=$ENV::SN" to get it from the $SN environment variable.
There's lots of flexibility in the openssl config file; many levels of indirection, etc., possible with variables and $ENV constructs.
Hope this helps.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Viktor Dukhovni
2013-05-20 16:20:12 UTC
Permalink
Post by Per Edlund
Is there a way with openssl to create a key/csr with SN attribute?
[dn_req]
surname = Smith

Likewise with the "-subj" option use:

-subj "/surname=Smith".
or
-subj "/SN=Smith".
Post by Per Edlund
As I can see, only CN, O, OU etc are available. If not with
openssl, does anyone know another tool to create this with?
Reading the man page is a start:

man 1 req

...
DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
...
The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationUnitName, stateOrProvinceName. Additionally emailAddress is
include as well as name, surname, givenName initials and dnQualifier.

Additional object identifiers can be defined with the oid_file or
oid_section options in the configuration file. Any additional fields
will be treated as though they were a DirectoryString.

$ openssl x509 -in cert.pem -subject
subject= /SN=Dukhovni
-----BEGIN CERTIFICATE-----
MIIBnjCCAUWgAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQEEwhEdWtob3Zu
aTAeFw0xMzA1MjAxNjExNDZaFw0xMzA2MTkxNjExNDZaMBMxETAPBgNVBAQTCER1
a2hvdm5pMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPftMa443p6qKRnMYv2VY
Tj1B/B5d3L4o749Ta80D4FrlQnsY9IVCqxF88I9Z4MmdboWX9Q6KhhxNTvRG+3+3
+6OBiTCBhjAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAdBgNVHQ4EFgQU966IxQjUmZhxj89v17bW5S5/3dAwHwYDVR0jBBgwFoAU966I
xQjUmZhxj89v17bW5S5/3dAwGgYDVR0RBBMwEYIPZm9vLmV4YW1wbGUuY29tMAoG
CCqGSM49BAMCA0cAMEQCIF9dsh6UP4w7xUp3iXk6T0maDRmQ5lIoLAD6hsf3qZx2
AiA/WVhlsDdtaoMymhwe6R+UR3UlRICw3lAXS49ErJDyCA==
-----END CERTIFICATE-----
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Per Edlund
2013-05-20 14:47:10 UTC
Permalink
Hello!

I need to create a key and a csr with SN=xxxxx but can't find any way to do this.

Does anyone know how to do this?

Kind regards
/Per Edlund
Erwann Abalea
2013-05-22 09:15:01 UTC
Permalink
That question has been answered a few days ago. Here's an example:

openssl req -new -newkey rsa:2048 -keyout dumb.key -nodes -out dumb.req
-subj "/C=UT/O=Whatever/GN=Per/SN=Edlund"
--
Erwann ABALEA
Post by Per Edlund
Hello!
I need to create a key and a csr with SN=xxxxx but can't find any way to do this.
Does anyone know how to do this?
Kind regards
/Per Edlund
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...