How to create CSR with emailAddress oneline?

Question

I'm working on a programming project that includes a bash script that creates a certificate signing request.

The piece that's giving me trouble is:

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout example.com.key -out example.com.csr -subj "/CN=example.com/[email protected]/O=MyOrganization/OU=MyUnit/C=US/ST=AR/L=Fayetteville"

Almost all the attributes look great, but for some awful reason, openssl is meshing the emailAddress line into the common name, which is resulting in invalid certificate issues in the browser.

openssl req -text -noout -verify -in example.com.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.com/[email protected], O=MyOrganization, OU=MyUnit, C=US, ST=AR, L=Fayetteville

Note how it mashes them together:

CN=example.com/[email protected]

I'm expecting it to recognize the distinct attributes:

CN=example.com, [email protected]

Answer 1

If I list the emailAddress attribute first,

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout example.com.key -out example.com.csr -subj "/[email protected]/CN=example.com/O=MyOrganization/OU=MyUnit/C=US/ST=AR/L=Fayetteville"

then it seems to be able to distinguish it just fine.

openssl req -text -noout -verify -in example.com.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: [email protected], CN=example.com, O=MyOrganization, OU=MyUnit, C=US, ST=AR, L=Fayetteville

Answer 2

back in the day the email address could be part of the subject field. there is a subjectAltName field for email address, which is what we all really should be using. This caused some confusion in how the "/emailAddress=" part gets parsed.