Openssl optionalCompanyName (optional Company Name) in command

Question

I made one openssl command so I can automate it using scripting. I find all the options by visiting different questions and sites but could not find option for "An optional company name", I tried "optionalCompanyName" but it did not worked.

(/C) Country Name (2 letter code) [XX]:GB
(/ST) State or Province Name (full name) []:London
(/L) Locality Name (eg, city) [Default City]:London
(/O) Organization Name (eg, company) [Default Company Ltd]:XYZ
(/U) Organizational Unit Name (eg, section) []:XYZ
(/CN) Common Name (eg, your name or your server's hostname) []:- $DOMAIN
(/emailAddress) Email Address [] :- some@some.com
(/challengePassword) A challenge password :- strongpass
(/?) An optional company name []:PROBLEM

Please help.

export domain=SOMEDOMAINNAME
openssl req -nodes -newkey rsa:2048 -keyout $domain.key -out $domain.csr -subj "/C=GB/ST=London/L=London/O=XYZ/OU=XYZ UK/CN=$domain/emailAddress=some@some.com/challengePassword=strongpass/optionalCompanyName=PROBLEM"

Same command in multi line, so it is easy to read

export domain=SOMEDOMAINNAME
openssl req -nodes -newkey rsa:2048 -keyout $domain.key -out $domain.csr -subj  
"/C=GB/ST=London/L=London/O=XYZ/OU=XYZ UK/CN=$domain/emailAddress=some@some.com 
/challengePassword=strongpass/optionalCompanyName=PROBLEM"

Visited links

• https://www.shellhacks.com/create-csr-openssl-without-prompt-non-interactive/
• https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm
• https://www.openssl.org/docs/manmaster/man1/req.html#CONFIGURATION_FILE_FORMAT and few Stackoverflow questions

Answer 1

The defined attributes for the subject and issuer fields in a certificate are defined by ITU X.520.

There is no "optional company name" item defined.

I think what you are referring to is the "Organization Name" attribute type. This is defined with the LDAP-NAME of "O".

In you example:

"/C=GB/ST=London/L=London/O=XYZ/OU=XYZ UK/CN=$domain/emailAddress=some@some.com /challengePassword=strongpass/optionalCompanyName=PROBLEM"

It's the "/O=XYZ" so the "Organization" (or company name) is "XYZ".

Update:

After some reading I see where you are coming from as I never some across this before:

"An optional company name:" is "unstructuredName".

"unstructuredName" and "challengePassword" is part of a certificate request only. So it's NOT part of the subject. So you shouldn't use "/challengePassword=strongpass" in your subject line.

You can see this in a default openssl.conf file:

[ req ]
attributes      = req_attributes

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name

Req attributes look to be ignored by most CA's. See note in OpenSSL documentation:

attributes

this specifies the section containing any request attributes: its format is the same as distinguished_name. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored by OpenSSL's request signing utilities but some CAs might want them.

Currently openssl does not provide any way to set req attrbutes from the command line. So the only way to do this is with a custom conf file with those attributes set.

If you need to do this, I would create a conf file with the prompt set to "no" and use the -conf openssl paramater. Please note that the format changes a little when you set prompt to "no".

Since req atrributes are most likely ignored anyway, I would not bother setting them.