Generate client certificate with principal name with OpenSSL

Question

I need to generate a client authentication certificate with "NT Principal Name" and "RFC 822 Name" under Subject Alternative Name, similar to this certificate, as shown in macOS keychain access (the obscured field values are AD UPN such as [email protected]):

I've tried using OpenSSL to generate the client authentication certificate with this command: openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout client.key -out client.crt

and this cert_config file:

[ req ]
    prompt             = no
    distinguished_name = my dn

[ my dn ]
            commonName = Test
           countryName = US
          localityName = Anywhere
      organizationName = Test
organizationalUnitName = Dev
   stateOrProvinceName = CO
          emailAddress = [email protected]
                  name = Test Cert
               surname = Cert
             givenName = Test
              initials = TC

[ my server exts ]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
        subjectAltName = otherName:1.3.18.0.2.4.318;UTF8:[email protected]

But I'm unable to correct format the subject alternative name to match the example in the image above. I could not find a definition for "NT Principal Name" or "RFC 822 Name" under Subject Alternative Name in the OpenSSL documentation. When I look at the certificate produced by the command above in keychain access I see:

How do I specify the "NT Principal Name" and "RFC 822 Name" fields under Subject Alternative Name in my client authentication certificate?

Answer 1

I also suffered with this question for a long time ... I was engaged in generating a certificate for EFS Recovery Agent and this field Subject Alternative Name is there. Here of course many interesting things are written, but unfortunately there is no explicit example: https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

By downloading a great utility XCA https://www.hohnstaedt.de/xca/

And by looking at the contents of the certificates generated cipher.exe /r: for EFS Recovery Agent

Generated the required string for OpenSSL

openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.cer -days 36500 -subj '/OU=EFS File Encryption Certificate/L=EFS/CN=efs' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4.1' -addext 'basicConstraints=CA:FALSE' -addext 'subjectAltName=otherName:msUPN;UTF8:[email protected]'

Here you will understand how to insert the "Principal Name" an "Subject Alternative Name" ;)