Collections:
Other Resources:
OpenSSL "req" - "prompt=yes" Mode with DN Validations
How to specify DN value length limit validations when using the "prompt=yes" mode of the OpenSSL "req -new" command?
✍: FYIcenter.com
If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) value length limits in the configuration file. OpenSSL will perform value length validations for you.
For example, "countryName_min=2" and "countryName_max=2" will limit the countryName value to 2 bytes only. If you enter "USA" at the countryName prompt, you will get an error.
Below is a test showing you how to use DN value length limits in the OpenSSL configuration file.
C:\Users\fyicenter>type test.cnf # unnamed section of generic options default_md = md5 # default section for "req" command options [req] input_password = fyicenter prompt = yes distinguished_name = my_req_dn_prompt [my_req_dn_prompt] # Minimum of 4 bytes are needed for common name commonName = Common Name commonName_min = 4 commonName_max = 32 # ISO2 country code only countryName = Country Name countryName_min = 2 countryName_max = 2 # State is optional, no minimum limit stateOrProvinceName = State stateOrProvinceName_max = 24 # City is required localityName = City localityName_min = 3 localityName_max = 24 # Organization is optional organizationName = Organization organizationName_max = 48 # Organization Unit is optional organizationalUnitName = Department organizationalUnitName_max = 48 # Email is optional emailAddress = Email emailAddress_max = 48 C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name []:FYI string is too short, it needs to be at least 4 bytes long Common Name []:FYIcenter.com CA Country Name []:USA string is too long, it needs to be less than 2 bytes long Country Name []:US State []:NY City []:New York Organization []:FYIcenter.com Department []:IT Email []:ca@fyicenter.com
As you can see from the test, setting DN value length limits helps OpenSSL "req -new" command to prompt for the user to enter correct DN values.
⇒ OpenSSL "req" - "prompt=yes" Mode with DN Defaults
2016-10-30, 2329🔥, 0💬
Popular Posts:
Certificate Summary: Subject: www.ovac.finances.gouv.q c.caIssuer: Entrust Certification Authority -...
How to validate a self-signed certificate using OpenSSL "verify" command? You can validate your self...
Certificate summary - Owner: thepiratebay.se, Domain Control Validated Issuer: SERIALNUMBER=10688435...
How to export a certificates from a system certificate store using "certmgr.exe" tool? You can expor...
Certificate Summary: Subject: kube-apiserver-lb-signer Issuer: kube-apiserver-lb-signer Expiration: ...