Email in certificates

Traditionally, the email address was part of the distinguished name (DN) of a certificate, like so:


 * Subject: C=NL, L=HomeTown, O=MyOrganisation, CN=www.example.org, emailAddress=hostmaster@example.org

However, RFC 3850 (section 3) specifies that nowadays:
 * The email address SHOULD be in the subjectAltName extension, and SHOULD NOT be in the subject distinguished name.

Like so:
 * Subject: C=NL, L=HomeTown, O=MyOrganisation, CN=www.example.org
 * X509v3 extensions:
 * X509v3 Subject Alternative Name:
 * email:hostmaster@example.org

OpenSSL will not handle this correctly by default. How to adjust the OpenSSL configuration depends on how the email address is specified in the certificate signing request that users are sending to the CA.

Email address in the DN of the request
Most users are custom to specifying their email address in the distinguished name of the request:

[ req ] default_bits       = 2048 default_md         = sha1 encrypt_key        = no prompt              = no string_mask         = utf8only distinguished_name = req_distinguished_name req_extensions     = req_cert_extensions [ req_distinguished_name ] countryName        = NL localityName        = Hometown organizationName   = My Organisation commonName         = OpenVPN-CA emailAddress       = hostmaster@example.org [ req_cert_extensions ] nsCertType         = server subjectAltName     = email:hostmaster@example.org

openssl req -new -config server.cnf -keyout server.key -out server.req

A CA which receives such a request should move (or copy) the email address from the distinguished name (DN) in the request, to the subjectAltName in the signed certificate. This can be done with these settings subjectAltName=email:copy or subjectAltName=email:move.

[ ca ] default_ca         = CA_default [ CA_default ] x509_extensions    = usr_cert [ usr_cert ] basicConstraints   = CA:FALSE nsCertType         = server subjectAltName     = email:move

Email address in the SubjectAltName in the request
Perhaps a 'cleaner' way is to let the users already specify the email address in the subjectAltName.

[ req ] default_bits       = 2048 default_md         = sha1 encrypt_key        = no prompt              = no string_mask         = utf8only distinguished_name = req_distinguished_name req_extensions     = req_cert_extensions [ req_distinguished_name ] countryName        = NL localityName        = Hometown organizationName   = My Organisation commonName         = OpenVPN-CA emailAddress       = hostmaster@example.org [ req_cert_extensions ] nsCertType         = server subjectAltName     = email:hostmaster@example.org

openssl req -new -config server.cnf -keyout server.key -out server.req

In the above request, the email is already specified in the subjectAltName, part of the requested X509 v3 extensions. By default, these extensions are ignored. You can use copy_extensions = copy to copy requested extensions that are not already specified by the CA, or copy_extensions = copyall to copy all requested extensions, overriding those already specified by the CA. Be careful with the copyall option.

[ ca ] default_ca         = CA_default [ CA_default ] x509_extensions    = usr_cert copy_extensions    = copy [ usr_cert ] basicConstraints   = CA:FALSE nsCertType         = server
 * 1) do not specify subjectAltName here.