OpenSSL "req" - "prompt=yes" Mode with DN Validations

Q

How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command?

✍: FYIcenter.com

A

If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you.

For example, "countryName_min=2" and "countryName_max=2" will limit the countryName value to 2 bytes only. If you enter "USA" at the countryName prompt, you will get an error.

Below is a test showing you how to use DN value length limits in the OpenSSL configuration file.

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt

[my_req_dn_prompt]

# Minimum of 4 bytes are needed for common name
commonName     = Common Name
commonName_min = 4
commonName_max = 32

# ISO2 country code only
countryName     = Country Name
countryName_min = 2
countryName_max = 2

# State is optional, no minimum limit
stateOrProvinceName     = State
stateOrProvinceName_max = 24

# City is required
localityName     = City
localityName_min = 3
localityName_max = 24

# Organization is optional
organizationName     = Organization
organizationName_max = 48

# Organization Unit is optional
organizationalUnitName     = Department
organizationalUnitName_max = 48

# Email is optional
emailAddress     = Email
emailAddress_max = 48

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name []:FYI
string is too short, it needs to be at least 4 bytes long
Common Name []:FYIcenter.com CA
Country Name []:USA
string is too long, it needs to be less than  2 bytes long
Country Name []:US
State []:NY
City []:New York
Organization []:FYIcenter.com
Department []:IT
Email []:ca@fyicenter.com

As you can see from the test, setting DN value length limits helps OpenSSL "req -new" command to prompt for the user to enter correct DN values.

⇒ OpenSSL "req" - "prompt=yes" Mode with DN Defaults

⇐ OpenSSL "req" - "prompt=yes" Mode

⇑ OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-30, ∼3317🔥, 0💬

OpenSSL "req" - distinguished_name Configuration Section
What is the distinguished_name section in the OpenSSL configuration file? The distinguished_name section in the OpenSSL configuration file is a required section of options when using OpenSSL "req -new" or "req -newkey" commands to generate a new CSR or self-signed certificate. distinguished_name sec... 2016-11-02, ≈32🔥, 0💬

OpenSSL "req -config" - Using Configuration File
Can I use my own configuration file when running "req" command? Yes, you can specify your own configuration file using the "-config file" option when running the "req" command. OpenSSL configuration file allows you to control the behavior of the "req" command with the following options: utf8 - If se... 2016-11-03, ≈16🔥, 0💬

OpenSSL "req" - "prompt=no" Mode
How to use the "prompt=no" mode of the OpenSSL "req -new" command? I want to specify DN field values directly in the configuration file. You can use "prompt=no" mode of the OpenSSL "req -new" command as shown below, if you set "prompt=no" and provide DN (Distinguished Name) field values in the confi... 2016-11-02, ≈14🔥, 0💬

OpenSSL "req -new" - DN Fields for Personal Certificates
How to use additional DN fields to create CSR for personal certificates? You can set additional DN fields in the configuration file to allow OpenSSL "req -new" command to generate CSR for personal certificates. Additional DN fields are: emailAddress, name, surname, givenName, initials and dnQualifie... 2016-10-27, ∼7868🔥, 0💬

OpenSSL "req" - "prompt=yes" Mode
How to use the "prompt=yes" mode of the OpenSSL "req -new" command? I want to enter DN values at the command prompt. You can use "prompt=yes" mode of the OpenSSL "req -new" command as shown below, if you set "prompt=yes" and provide DN (Distinguished Name) field prompts in the configuration file. C:... 2016-10-30, ∼6651🔥, 0💬

OpenSSL "req" - "prompt=yes" Mode with DN Defaults
How to specify DN value defaults when using the "prompt=yes" mode of the OpenSSL "req -new" command? If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) default values in the configuration file. OpenSSL will prompt the user for DN fields with default values. The user can pre... 2016-10-29, ∼5995🔥, 0💬

OpenSSL "req new -batch" - Using DN Default Values Only
How to run OpenSSL "req -new" command in batch mode? I don't OpenSSL to use DN default values only and do not prompt me. If you have DN (Distinguished Name) default values provided in the configuration file, you can run OpenSSl "req -new -batch" command to take default values only without prompt as ... 2016-10-29, ∼5336🔥, 0💬

OpenSSL "req -new" - Repeating DN Fields
Can I repeat a DN field multiple times in the configuration file for the OpenSSL "req -new" command? Yes, you can repeat a DN (Distinguished Name) field multiple times in the configuration file. This can be done by prefix the DN field name with "0.", "1.", and so on. For example. "0.emailAddress=Ema... 2016-10-27, ∼4218🔥, 0💬

OpenSSL "req" - "prompt=yes" Mode with DN Validations
How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command? If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you. For ... 2016-10-30, ∼3318🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.