How to specify a template name when creating CSR with OpenSSL
Par Ruliane le vendredi 1 mars 2024, 11:29 - Lien permanent
Short anwser: openssl req -new -keyout private.key -out webserver.csr -addext '1.3.6.1.4.1.311.20.2=ASN1:IA5STRING:MyTemplate'
For more explanation, keep on reading...
When generating a Certificate Signing Request (CSR) with OpenSSL, you can add extensions inline with the -addext argument. For example, if you need additional names through the Subject Alternative Names extension:
> openssl req -new -keyout private.key -out webserver.csr -addext 'subjectAltName=DNS:webserver.example.org,DNS:intranet.example.org'
On a Microsoft Enterprise (ie. domain-joined) certification authority, every CSR submitted must refer to a template. This template contains some common properties that will be used when issuing the certificate. For example, a template might specify a validity period, or specific EKUs. The Template Name can be supplied in the CSR through a Template Name extension.
Sadly this extension is Microsoft-specific and OpenSSL does not know it. As a consequence, such a command will fail:
> openssl req -new -keyout private.key -out webserver.csr -addext 'TemplateName=WebServer'
Error checking extensions defined using -addext 40D755369F7F0000:error:11000082:X509 V3 routines:do_ext_nconf:unknown extension name:../crypto/x509/v3_conf.c:88:
So... how can you specify the template to be used?
Of course, if this Template Name is not part of the CSR the usual way is to add it at the time of submission by using the certreq.exe utility:
certreq.exe -submit -attrib "CertificateTemplate:WebServer" webserver.csr "
But it doesn't enable the requester to supply the Template Name at the time of CSR generation.
Here is the way to specify a Template Name in a CSR with OpenSSL.
First, you have to give the OID of this extension because OpenSSL doesn't know it. As mentioned in the link above, the OID for Template Name extension is 1.3.6.1.4.1.311.20.2.
> openssl req -new -keyout private.key -out webserver.csr -addext '1.3.6.1.4.1.311.20.2=WebServer'
Second, you have to specify which data type is this extension. In our case, it a string. I advice using ASN.1 IA5STRING type, so you can use any ASCII character. For example:
> openssl req -new -keyout private.key -out webserver.csr -addext '1.3.6.1.4.1.311.20.2=ASN1:IA5STRING:WebServer'
That's it, you just created a Certificate Signing Request with a custom Template Name! Note that you can have multiple -addext statements, so that the following is fully valid:
> openssl req -new -keyout private.key -out webserver.csr -addext '1.3.6.1.4.1.311.20.2=ASN1:IA5STRING:WebServer' -addext 'subjectAltName=DNS:webserver.example.org,DNS:intranet.example.org'