I have a CSR for a user certificate with no email address specified in its DN. However, the email address is specified as an extension in subject alternative name.
Now I would like to sign this request with openssl and include the email address in the resulting certificate's DN, i.e. the email address has to be copied from subject alternative name to the emailAddress field in DN. Is that even possible with openssl?
You can add new attributes to the X509 certificate's subject when you sign the certificate signing request with openssl ca command. Example:
openssl ca -cert MyCA.cer -keyfile MyCA.pvk -config MyCA.config -in MyCertificate.req -out MyCertificate.cer -outdir . -subj /CN=MyNewName
However subject does not have a designated attribute for an e-mail (per RFC 5280). So you have two options:
[email protected])