Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to create CSR with emailAddress oneline?

Tags:

openssl

I'm working on a programming project that includes a bash script that creates a certificate signing request.

The piece that's giving me trouble is:

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout example.com.key -out example.com.csr -subj "/CN=example.com/[email protected]/O=MyOrganization/OU=MyUnit/C=US/ST=AR/L=Fayetteville"

Almost all the attributes look great, but for some awful reason, openssl is meshing the emailAddress line into the common name, which is resulting in invalid certificate issues in the browser.

openssl req -text -noout -verify -in example.com.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.com/[email protected], O=MyOrganization, OU=MyUnit, C=US, ST=AR, L=Fayetteville

Note how it mashes them together:

CN=example.com/[email protected]

I'm expecting it to recognize the distinct attributes:

CN=example.com, [email protected]
like image 767
Jeff Puckett Avatar asked Jul 18 '16 16:07

Jeff Puckett

People also ask

Is email required for CSR?

CSR for personal ID certificates and signing certificates must have the email address of the ID holder or name of organisation in case of business ID.

What is a CSR email?

A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA requires to issue a certificate.

2 Answers

If I list the emailAddress attribute first,

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout example.com.key -out example.com.csr -subj "/[email protected]/CN=example.com/O=MyOrganization/OU=MyUnit/C=US/ST=AR/L=Fayetteville"

then it seems to be able to distinguish it just fine.

openssl req -text -noout -verify -in example.com.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: [email protected], CN=example.com, O=MyOrganization, OU=MyUnit, C=US, ST=AR, L=Fayetteville
like image 133
Jeff Puckett Avatar answered Oct 24 '22 04:10

Jeff Puckett

back in the day the email address could be part of the subject field. there is a subjectAltName field for email address, which is what we all really should be using. This caused some confusion in how the "/emailAddress=" part gets parsed.

like image 24
rsgmodelworks Avatar answered Oct 24 '22 04:10

rsgmodelworks
Sign in to Comment

Related questions

Can I certify website without domain name?
What is the default IV when encrypting with aes_256_cbc cipher?
Using Java to decrypt openssl aes-256-cbc using provided key and iv
creating self-signed certificates with open ssl on windows
Importing OpenSSH RSA Public / Private Key Pair into Apple's Keychain Access
ssl certificate- get private key from csr
wget, self-signed certs and a custom HTTPS server
How does certificate revocation work with intermediate CA's?
Python Simple SSL Socket Server
Error Creating SSL Context - Qt
What are SSL heartbeats?
How do I install PyOpenSSL on Windows 7 64-bit?
Include OpenSSL in a CMakeList.txt file
Undefined reference to openssl functions when compiling with gcc in Ubuntu 11.10
How to make browser trust localhost SSL certificate?
Convert CA-signed JKS keystore to PEM
How to encrypt files with Ruby?
Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
How to use OpenSSL's SHA256 functions
uninitialized constant OpenSSL (NameError)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!