Generate CSR including certificate template information with OpenSSL
At the top of your openssl.conf
enter:
[ OIDs ]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
In your [req_attributes]
:
certificateTemplateName = ASN1:PRINTABLESTRING:CustomUserOffline
You could, of course, skip the definition of the OID, just like you did in your question, and use the OID directly.
Using the following openssl config file:
oid_section = OIDs
[ OIDs ]
# This uses the short name of the template:
certificateTemplateName = 1.3.6.1.4.1.311.20.2
# Use this instead if you need to refer to the template by OID:
# certificateTemplateOID = 1.3.6.1.4.1.311.21.7
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows and the numbering is irrelevant as long as each line's number differs.
# Domain Components style:
# Server name:
# 2.DC = com
# 1.DC = example
# commonName = Acme Web Server
# Locality style:
# countryName = GB
# stateOrProvinceName = London
# localityName = Letsby Avenue
# organizationName = Acme
# organizationalUnitName = IT Dept
# organizationalUnitName = Web Services
# commonName = Acme Web Server
# Or traditional org style:
countryName = GB
organizationName = Acme
organizationalUnitName = IT Dept
2.organizationalUnitName = Web Services
commonName = Acme Web Server
[ req_ext ]
#basicConstraints=critical,CA:TRUE
# This requests a certificate using the 'CustomUserOffline' template. Check with the CA for the correct name to use,
# or alternatively comment it out and let the CA apply it:
certificateTemplateName = ASN1:PRINTABLESTRING:CustomUserOffline
subjectAltName = @alt_names
[alt_names]
# To copy the CN (in the case of a DNS name in the CN) use:
# DNS = ${req_dn::commonName}
DNS.1 = www.example.com
DNS.2 = example.com
This results in the following extract when viewed using openssl req -in usercert.csr -noout -text
:
Attributes:
Requested Extensions:
1.3.6.1.4.1.311.20.2:
..CustomUserOffline
and the following extract when viewed with certutil usercert.csr
:
Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[0][0], Length = 4d
Certificate Extensions: 2
1.3.6.1.4.1.311.20.2: Flags = 0, Length = 13
Certificate Template Name (Certificate Type)
CustomUserOffline