2

When creating CSR, since the conf can take country and state info, I assume it will be embedded in the certificate. If so, how to display it after the certificate is signed? I tried "$ openssl x509 -in foo.crt -noout -text" but seems the information is not there. I also checked "-help". Any other way to print? Thanks a lot.

More found: it seems country and state information is removed when CSR is signed, correct?

For example, this is what I observe.

$ openssl req -text -noout -in server.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: Subject: DC=..., DC=..., C=..., ST=..., L=..., O=..., OU=..., CN=...
...

$ openssl x509 -text -noout -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=..., DC=..., O=..., OU=..., CN=...
    Validity
        Not Before: Dec  5 22:05:21 2013 GMT
        Not After : Dec  5 22:05:21 2015 GMT
    Subject: DC=..., DC=..., O=..., OU=..., CN=...

As seen, the fields of "C", "ST" and "L" in the Subject are missing in certificate.

user180574
  • 5,681
  • 13
  • 53
  • 94

3 Answers3

1

Country and state information is under Subject and in C and ST field respectively.

As per my knowledge, issuer does not remove any information present in CSR.

doptimusprime
  • 9,115
  • 6
  • 52
  • 90
  • This is weird, at least not what I see. Please check my recent edit. Thank you. – user180574 Dec 10 '13 at 19:38
  • 3
    They absolutely can and, depending on what information is present, should remove information present in a CSR. Rather, they will not (should not) place anything into the CSR that has not been explicitly verified. – Jumbogram Dec 10 '13 at 20:02
  • @Jumbogram, Any configuration I can tune to maintain country/state/city info from CSR to CERT? Thanks. – user180574 Dec 10 '13 at 21:36
1

You would use the same command you are already using (if you only care about subject information, you could use openssl x509 -subject -noout -in server.crt, replacing -text with -subject). The problem in your case is that, as you noted, the city and state information was removed by the signer. What information to place into the certificate is ultimately the prerogative of the issuer.

Henrik
  • 9,714
  • 5
  • 53
  • 87
Jumbogram
  • 2,249
  • 1
  • 20
  • 24
  • This is by self-signed CA. I use the command "openssl ca -config server.conf -in server.csr -out server.crt" to sign. Anything to refine here? – user180574 Dec 10 '13 at 21:43
  • Depends in what's in your config. You could use the `-subj` argument: https://www.openssl.org/docs/apps/ca.html – Jumbogram Dec 11 '13 at 01:14
  • If you're just making a self-signed cert, you can forget the config and just use the steps 1-4 from http://www.akadia.com/services/ssh_test_certificate.html , or via the single command listed at http://stackoverflow.com/a/10176685/535741 ( `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX` ) – Jumbogram Dec 12 '13 at 03:58
  • I just want to edit before I see your comment. It turns out I need to modify the match policy in the configuration file to set country/state/city name as match. Then it will copy from CSR to CERT. So I will keep using conf file, but thank you very much for the comment. – user180574 Dec 12 '13 at 20:36
1

Display the contents of a SSL certificate:

openssl x509 -in certificate.crt -text -noout
Oleh Vasylyev
  • 684
  • 4
  • 21