3

I'm a newbie with Hashicorp Vault and PKI so bear with me :) I've recently set up an intermediate CA and went through the motions of creating roles etc. I then proceeded and generated a certificate using one of the roles, like so :

vault write -field=certificate test/pki/issue/server common_name="Bla bla" OU="Test OU" organization="Test Org" format="pem_bundle" > testhost.pem

However when I checked the subject of the cert, like so :

vault read -field=certificate test/pki/cert/53-5c-e6-7e-2d-56-4e-72-f7-db-a2-5c-6a-89-33-f9-43-52-58-92 | openssl x509 -noout -subject

Its giving me this :

subject= /O=Test Org/OU=Test OU/CN=Bla bla

Is there any way I could change it to :

subject= CN=Bla bla,OU=Test OU,O=Test Org

If this isnt possible, I understand, just would like to check. Thanks!

JaneD
  • 149
  • 1
  • 2
  • 15

2 Answers2

4

The order in the subject= line is determined by openssl, which follows RFC 1779's definition of string representations of Distinguished Names for the x.500 standard. "Subject" is a type of Distinguished Name for identifying the certificate. Attributes for the Subject are listed from most general (e.g., Country) to most specific (e.g., Common Name).

(RFC 1779 updates RFC 1485, and is updated by 2253 and RFC 4514, and likely others.)

Community
  • 1
  • 1
Sarai
  • 58
  • 1
  • 5
0

wondering which OS you use.linux based, you can change the below file with your intended details.

/etc/ssl/openssl.cnf

countryName                     = Country Name (2 letter code)
countryName_default             = IN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Karnataka
localityName                    = Bangalore (eg, city)
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = XXXX

re-order the above as per your need, and then generate user certs again.

toolic
  • 57,801
  • 17
  • 75
  • 117
etherGEEK
  • 1