Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Generate client certificate with principal name with OpenSSL

Tags:

ssl

openssl

I need to generate a client authentication certificate with "NT Principal Name" and "RFC 822 Name" under Subject Alternative Name, similar to this certificate, as shown in macOS keychain access (the obscured field values are AD UPN such as test@domain.com):

example certificate with principal name

I've tried using OpenSSL to generate the client authentication certificate with this command: openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout client.key -out client.crt

and this cert_config file:

[ req ]
    prompt             = no
    distinguished_name = my dn

[ my dn ]
            commonName = Test
           countryName = US
          localityName = Anywhere
      organizationName = Test
organizationalUnitName = Dev
   stateOrProvinceName = CO
          emailAddress = info@test.com
                  name = Test Cert
               surname = Cert
             givenName = Test
              initials = TC

[ my server exts ]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.20.2.2
        subjectAltName = otherName:1.3.18.0.2.4.318;UTF8:test@example.com

But I'm unable to correct format the subject alternative name to match the example in the image above. I could not find a definition for "NT Principal Name" or "RFC 822 Name" under Subject Alternative Name in the OpenSSL documentation. When I look at the certificate produced by the command above in keychain access I see:

produced client certificate

How do I specify the "NT Principal Name" and "RFC 822 Name" fields under Subject Alternative Name in my client authentication certificate?

like image 355
Brantino Avatar asked Nov 08 '22 04:11

Brantino


1 Answers

I also suffered with this question for a long time ... I was engaged in generating a certificate for EFS Recovery Agent and this field Subject Alternative Name is there. Here of course many interesting things are written, but unfortunately there is no explicit example: https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

By downloading a great utility XCA https://www.hohnstaedt.de/xca/

And by looking at the contents of the certificates generated cipher.exe /r: for EFS Recovery Agent

Generated the required string for OpenSSL

openssl req -x509 -nodes -newkey rsa:4096 -keyout efs.key -out efs.cer -days 36500 -subj '/OU=EFS File Encryption Certificate/L=EFS/CN=efs' -addext 'extendedKeyUsage=1.3.6.1.4.1.311.10.3.4.1' -addext 'basicConstraints=CA:FALSE' -addext 'subjectAltName=otherName:msUPN;UTF8:sb@sb.local'

Here you will understand how to insert the "Principal Name" an "Subject Alternative Name" ;)

like image 117
KUL Avatar answered Nov 15 '22 11:11

KUL