When using an SSL certificate, creating a CSR (Certificate Signing Request) is an essential step. When creating a CSR, an important parameter is the OU (Organizational Unit) field. Normally, the OU field uses a plus sign ( ) to separate different organizational units. However, according to the suggestion of PHP editor Banana, if you want to create a CSR correctly, you should use commas (,) to separate different organizational units. Doing so can ensure the correctness of the CSR and avoid problems during the certificate application process. Therefore, when creating a CSR, please remember to use commas to separate OU fields to ensure certificate accuracy and smooth application.
I'm trying to create a certificate signing request in go using the cryptographic library. The problem is that the OU of the CSR it generates is separated by
i.e.
Subject: O = Example Org, OU = OU1 + OU = OU2, CN = example.com
How to generate a CSR for an OU separated by ,
, for example
Subject: O = Example Org, OU = OU1, OU = OU2, CN = example.com
Generating OUs separated by
seems to be the default behavior of the crypto
lib. Can this be done using a cryptographic library? If not, then is there any other library that can generate CSR with OU separated by ,
I try to generate CSR using the code below
package main import ( "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "os" ) func main() { privKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { fmt.Println(err) os.Exit(1) } csrTemplate := x509.CertificateRequest{ Subject: pkix.Name{ CommonName: "example.com", Organization: []string{"Example Org"}, OrganizationalUnit: []string{"OU1", "OU2"}, }, EmailAddresses: []string{"[email protected]"}, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privKey) if err != nil { fmt.Println(err) os.Exit(1) } csrPem := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csrBytes, }) fmt.Println(string(csrPem)) }
" " and "," are not part of the certificate. It is used when providing a human-readable string representation of a certificate request.
Details: Your code simply prints out the PEM-formatted CSR file, not a human-readable representation of the certificate request. Viewing this CSR using asn1parse yields:
$ openssl asn1parse -in csr.pem ... 37:d=4 hl=2 l= 10 cons: SEQUENCE 39:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 44:d=5 hl=2 l= 3 prim: PRINTABLESTRING :OU1 49:d=4 hl=2 l= 10 cons: SEQUENCE 51:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 56:d=5 hl=2 l= 3 prim: PRINTABLESTRING :OU2 61:d=3 hl=2 l= 20 cons: SET
Thus, these are separate objects, not combined strings with " " in the middle. When using req to display a certificate request, this " " appears:
$ openssl req -in csr.pem -text Certificate Request: Data: Version: 1 (0x0) Subject: O = Example Org, OU = OU1 + OU = OU2, CN = example.com
Which delimiter is used here is actually configurable. See openssl-namedisplay-options and look for sep_comma_plus_space
, which is the default separator. Quoting documents:
So you already understand: use commas between different RDNs (i.e. O, OU, CN,...), and use plus signs between multiple AVAs within the same RDN (i.e. multiple OUs) . Also, the use of multiple AVAs is discouraged under any circumstances.
The above is the detailed content of Create a CSR where OUs are separated by commas instead of plus signs. For more information, please follow other related articles on the PHP Chinese website!