Create a CSR where OUs are separated by commas instead of plus signs

When using an SSL certificate, creating a CSR (Certificate Signing Request) is an essential step. When creating a CSR, an important parameter is the OU (Organizational Unit) field. Normally, the OU field uses a plus sign ( ) to separate different organizational units. However, according to the suggestion of PHP editor Banana, if you want to create a CSR correctly, you should use commas (,) to separate different organizational units. Doing so can ensure the correctness of the CSR and avoid problems during the certificate application process. Therefore, when creating a CSR, please remember to use commas to separate OU fields to ensure certificate accuracy and smooth application.

Question content

I'm trying to create a certificate signing request in go using the cryptographic library. The problem is that the OU of the CSR it generates is separated by i.e.

Subject: O = Example Org, OU = OU1 + OU = OU2, CN = example.com

How to generate a CSR for an OU separated by , , for example

Subject: O = Example Org, OU = OU1, OU = OU2, CN = example.com

Generating OUs separated by seems to be the default behavior of the crypto lib. Can this be done using a cryptographic library? If not, then is there any other library that can generate CSR with OU separated by ,

I try to generate CSR using the code below

package main

import (
    "crypto/rand"
    "crypto/rsa"
    "crypto/x509"
    "crypto/x509/pkix"
    "encoding/pem"
    "fmt"
    "os"
)

func main() {
    privKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        fmt.Println(err)
        os.Exit(1)
    }

    csrTemplate := x509.CertificateRequest{
        Subject: pkix.Name{
            CommonName:         "example.com",
            Organization:       []string{"Example Org"},
            OrganizationalUnit: []string{"OU1", "OU2"},
        },
        EmailAddresses: []string{"[email protected]"},
    }

    csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privKey)
    if err != nil {
        fmt.Println(err)
        os.Exit(1)
    }

    csrPem := pem.EncodeToMemory(&pem.Block{
        Type:  "CERTIFICATE REQUEST",
        Bytes: csrBytes,
    })

    fmt.Println(string(csrPem))
}

Solution

" " and "," are not part of the certificate. It is used when providing a human-readable string representation of a certificate request.

Details: Your code simply prints out the PEM-formatted CSR file, not a human-readable representation of the certificate request. Viewing this CSR using asn1parse yields:

$ openssl asn1parse -in csr.pem 
   ...       
   37:d=4  hl=2 l=  10 cons: SEQUENCE          
   39:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
   44:d=5  hl=2 l=   3 prim: PRINTABLESTRING   :OU1
   49:d=4  hl=2 l=  10 cons: SEQUENCE          
   51:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
   56:d=5  hl=2 l=   3 prim: PRINTABLESTRING   :OU2
   61:d=3  hl=2 l=  20 cons: SET

Thus, these are separate objects, not combined strings with " " in the middle. When using req to display a certificate request, this " " appears:

$ openssl req -in csr.pem -text 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = Example Org, OU = OU1 + OU = OU2, CN = example.com

Which delimiter is used here is actually configurable. See openssl-namedisplay-options and look for sep_comma_plus_space, which is the default separator. Quoting documents:

So you already understand: use commas between different RDNs (i.e. O, OU, CN,...), and use plus signs between multiple AVAs within the same RDN (i.e. multiple OUs) . Also, the use of multiple AVAs is discouraged under any circumstances.

The above is the detailed content of Create a CSR where OUs are separated by commas instead of plus signs. For more information, please follow other related articles on the PHP Chinese website!