openssl: generate certificate request with non-DNS subject alternative names
You can specify pretty much anything that your CA allows.
The relevant RFC is RFC5280. It says in section 4.2.1.6. "Subject Alternative Name"
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). Other options exist, including completely local definitions. Multiple name forms, and multiple instances of each name form, MAY be included. Whenever such identities are to be bound into a certificate, the subject alternative name (or issuer alternative name) extension MUST be used; however, a DNS name MAY also be represented in the subject field using the domainComponent attribute as described in Section 4.1.2.4. Note that where such names are represented in the subject field implementations are not required to convert them into DNS names.
You should read the rest of that section, and then check with your CA what they support. It's worth noting that your CA must verify that all subject alternative names are correct.
To use an email address, the RFC says in section 4.1.2.6
Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.
So instead of UPI, you should use rfc822Name.
After trying some options (thanks Jenny) I just checked the source code, and discovered that the configuration file expects one of these values:
- URI
- DNS
- RID
- IP
- dirName
- otherName
So in my case I wrote
[alt_names]
email = [email protected]
And openssl generated the request file.