0

I have a CSR for a user certificate with no email address specified in its DN. However, the email address is specified as an extension in subject alternative name.

Now I would like to sign this request with openssl and include the email address in the resulting certificate's DN, i.e. the email address has to be copied from subject alternative name to the emailAddress field in DN. Is that even possible with openssl?

Jacob
  • 3
  • 1
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Jun 01 '17 at 11:42
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Jun 01 '17 at 11:43

1 Answers1

0

You can add new attributes to the X509 certificate's subject when you sign the certificate signing request with openssl ca command. Example:

openssl ca -cert MyCA.cer -keyfile MyCA.pvk -config MyCA.config -in MyCertificate.req -out MyCertificate.cer -outdir . -subj /CN=MyNewName

However subject does not have a designated attribute for an e-mail (per RFC 5280). So you have two options:

  1. Use one of allowed subject attributes to keep the new e-mail (e.g. CN=me@mycompany.com)
  2. SAN certificate extension contains a special field for e-mail and you can put it there.
Oleg
  • 726
  • 5
  • 11