I need to generate a client authentication certificate with "NT Principal Name" and "RFC 822 Name" under Subject Alternative Name, similar to this certificate, as shown in macOS keychain access (the obscured field values are AD UPN such as test@domain.com
):
I've tried using OpenSSL to generate the client authentication certificate with this command:
openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout client.key -out client.crt
and this cert_config file:
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
commonName = Test
countryName = US
localityName = Anywhere
organizationName = Test
organizationalUnitName = Dev
stateOrProvinceName = CO
emailAddress = info@test.com
name = Test Cert
surname = Cert
givenName = Test
initials = TC
[ my server exts ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
subjectAltName = otherName:1.3.18.0.2.4.318;UTF8:test@example.com
But I'm unable to correct format the subject alternative name to match the example in the image above. I could not find a definition for "NT Principal Name" or "RFC 822 Name" under Subject Alternative Name in the OpenSSL documentation. When I look at the certificate produced by the command above in keychain access I see:
How do I specify the "NT Principal Name" and "RFC 822 Name" fields under Subject Alternative Name in my client authentication certificate?
I also suffered with this question for a long time ... I was engaged in generating a certificate for EFS Recovery Agent and this field Subject Alternative Name is there. Here of course many interesting things are written, but unfortunately there is no explicit example: https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
By downloading a great utility XCA https://www.hohnstaedt.de/xca/
And by looking at the contents of the certificates generated cipher.exe /r: for EFS Recovery Agent
Generated the required string for OpenSSL
openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.cer -days 36500 -subj '/OU=EFS File Encryption Certificate/L=EFS/CN=efs' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4.1' -addext 'basicConstraints=CA:FALSE' -addext 'subjectAltName=otherName:msUPN;UTF8:sb@sb.local'
Here you will understand how to insert the "Principal Name" an "Subject Alternative Name" ;)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With