Email in certificates

From Exterior Memory
Jump to: navigation, search

Traditionally, the email address was part of the distinguished name (DN) of a certificate, like so:

Subject: C=NL, L=HomeTown, O=MyOrganisation, CN=www.example.org, emailAddress=hostmaster@example.org

However, RFC 3850 (section 3) specifies that nowadays:

The email address SHOULD be in the subjectAltName extension, and SHOULD NOT be in the subject distinguished name.

Like so:

Subject: C=NL, L=HomeTown, O=MyOrganisation, CN=www.example.org
X509v3 extensions:
X509v3 Subject Alternative Name:
email:hostmaster@example.org

OpenSSL will not handle this correctly by default. How to adjust the OpenSSL configuration depends on how the email address is specified in the certificate signing request that users are sending to the CA.

Email address in the DN of the request

Most users are custom to specifying their email address in the distinguished name of the request:

[ req ]
default_bits        = 2048
default_md          = sha1
encrypt_key         = no
prompt              = no
string_mask         = utf8only
distinguished_name  = req_distinguished_name
req_extensions      = req_cert_extensions

[ req_distinguished_name ]
countryName         = NL
localityName        = Hometown
organizationName    = My Organisation
commonName          = OpenVPN-CA
emailAddress        = hostmaster@example.org

[ req_cert_extensions ]
nsCertType          = server
subjectAltName      = email:hostmaster@example.org
openssl req -new -config server.cnf -keyout server.key -out server.req

A CA which receives such a request should move (or copy) the email address from the distinguished name (DN) in the request, to the subjectAltName in the signed certificate. This can be done with these settings subjectAltName=email:copy or subjectAltName=email:move.

[ ca ]
default_ca          = CA_default

[ CA_default ]
# ...
x509_extensions     = usr_cert
# ...

[ usr_cert ]
basicConstraints    = CA:FALSE
nsCertType          = server
subjectAltName      = email:move

Email address in the SubjectAltName in the request

Perhaps a 'cleaner' way is to let the users already specify the email address in the subjectAltName.

[ req ]
default_bits        = 2048
default_md          = sha1
encrypt_key         = no
prompt              = no
string_mask         = utf8only
distinguished_name  = req_distinguished_name
req_extensions      = req_cert_extensions

[ req_distinguished_name ]
countryName         = NL
localityName        = Hometown
organizationName    = My Organisation
commonName          = OpenVPN-CA
emailAddress        = hostmaster@example.org

[ req_cert_extensions ]
nsCertType          = server
subjectAltName      = email:hostmaster@example.org
openssl req -new -config server.cnf -keyout server.key -out server.req

In the above request, the email is already specified in the subjectAltName, part of the requested X509 v3 extensions. By default, these extensions are ignored. You can use copy_extensions = copy to copy requested extensions that are not already specified by the CA, or copy_extensions = copyall to copy all requested extensions, overriding those already specified by the CA. Be careful with the copyall option.

[ ca ]
default_ca          = CA_default

[ CA_default ]
# ...
x509_extensions     = usr_cert
copy_extensions     = copy
# ...

[ usr_cert ]
basicConstraints    = CA:FALSE
nsCertType          = server
# do not specify subjectAltName here.