Question
I have to create an application which generates a CSR. While generating a CSR we are required to fill in several details like CN, OU, etc. The problem is that the Certifying Authority to which I have to send my CSR wants 2 OU(Organizational Unit) Names. I googled a lot but couldn't find anything using either openssl or java keytool by which I can specify 2 OU Names.
Can someone please tell me how I can specify 2 OU Names while generating the CSR?
Solution
If you want to do it via CLI you can use either a conf file or pass the -subj argument. Here's an example with -subj
https://stackoverflow.com/questions/17849660
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianopenssl req -new -newkey rsa:2048 -nodes -subj "/CN=somedomain.com/O=My Corporation/OU=Org Unit 1/OU=Org Unit 2"
You can add in ST, L, C, and any other shortName OpenSSL recognizes (along with raw OIDs).
OTHER TIPS
hope this helps I banged my head for several hours till i found it, You can also try this command
openssl req -new -key username.key -out username.csr -config client/client.csr.cnf
here's the client.csr.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
DC= com
0.DC= company
OU= organizations
0.OU= telos
1.OU= telosapac
CN= USERNAMEPATTERN
notice the number before the subject attribute 0.DC, 0.OU, 1.OU there should be a number prefix representing the index of the subject entries
Openssl allows to set multiple values of the same type by appending a numeric value in the openssl confg.
The openssl manual states:
To specify multiple values append a numeric identifier, as shown here:
[extensions]
subjectAltName = @alt_section
[alt_section]
email.1 = steve@example.com
email.2 = steve@example.org
In the case mentioned in the question you would configure
[req_distinguished_name]
OU.1 = foo
OU.2 = bar
