Generate SSL certificate with User Principal Name openssl

We assume that openssl is already installed.

User certificate with a UPN field

Create a new file named ext.cnf in the folder where we are going to generate certificates. Write the line to the file:

subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:your_text_here

Replace text your_text_here with your own. The rest does not need to be touched.

Now, you need to add a flag to the command, which you use for cert generation:

-extfile ext.cnf

It will turn out something like this:

openssl x509 -req -CA ca_cert -CAkey ca_key -in cert_file -out cert_signed -days 365 -CAcreateserial -passin pass: qwe123 -extfile ext.cnf

The command example is taken from the article about generating SSL certificates.

CA certificate with a UPN field

Find the openssl.cnf configuration file:

For Linux it can be:

/usr/lib/ssl/openssl.cnf (primary)
/usr/local/ssl/openssl.cnf

For RHEL Linux it is:

/etc/pki/tls/openssl.cnf

If you can’t find it, use the command:

locate openssl.cnf

It works on both Linux and MacOS.

Let’s make a copy of the file and save it to your home directory:

cat <path_that_you_found>/openssl.cnf > ~/openssl.cnf

We need to open the newly created file ~/openssl.cnf, find the v3_ca section and add the line there:

subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:your_text_here

Replace text your_text_here with your own. The rest does not need to be touched.

Now, you need to add a flag to the command, which you use for CA cert generation:

-config ~/openssl.cnf

It will turn out something like this:

openssl req -new -x509 -keyout ca_key -out ca_cert -config ~/openssl.cnf

The command example is taken from the article about generating SSL certificates.

Telegram channel

If you still have any questions, feel free to ask me in the comments under this article or write me at promark33@gmail.com.

If I saved your day, you can support me 🤝

Leave a Reply

Your email address will not be published. Required fields are marked *