I am trying to create a certificate signing request in go using the crypto lib. The problem is it generates the CSR with OU separated by +
, i.e.
Subject: O = Example Org, OU = OU1 + OU = OU2, CN = example.com
How can I generate the CSR with OU separated by ,
like
Subject: O = Example Org, OU = OU1, OU = OU2, CN = example.com
Producing OU separated by +
seems to be default behaviour of crypto
lib. Can this be done using crypto lib? If no, then is there any other lib that can generate CSR with OU separated by ,
I tried generating the CSR using below code
package main
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"os"
)
func main() {
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
csrTemplate := x509.CertificateRequest{
Subject: pkix.Name{
CommonName: "example.com",
Organization: []string{"Example Org"},
OrganizationalUnit: []string{"OU1", "OU2"},
},
EmailAddresses: []string{"[email protected]"},
}
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privKey)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
csrPem := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE REQUEST",
Bytes: csrBytes,
})
fmt.Println(string(csrPem))
}
Neither the '+' nor the ',' are part of the certificate. It is just what is used when providing a human readable string representation of the certificate request.
In detail: your code just prints out a CSR file in PEM format, not a human readable presentation of the certificate request. Looking at this CSR with asn1parse gives:
So, these are separate objects and not a combined string with a '+' between. This '+' instead comes when displaying the certificate request using req:
Which separator is used here can actually be kind of configured. See openssl-namedisplay-options and look for
sep_comma_plus_space
, which is the default separator. To cite the documentation:So there you have it: a comma is used between different RDN (i.e. O, OU, CN, ...) while a plus is used between multiple AVA inside the same RDN (like multiple OU). Also, using multiple AVA is discouraged anyway.