签名时更改 x509 证书属性（即组织）

Question

I've built an internal signing CA using OpenSSL.

My signing policy requires certain attributes to MATCH, including organizationName

[ match_pol ]
organizationName        = supplied  # Must match 'Company ABC'
organizationalUnitName  = optional  # Included if present
commonName              = supplied  # Must be present
countryName             = supplied  # Must be present

Some of the CSR's I'm being given to sign from people don't have the correct organizationName (typo's, etc)

Am I able to modify the OrganizationName (or other attributes) before returning the signed certificate so it matches the name I want, and without having to reject and ask for a new CSR from the user?

I know from personal experience the CSRs I upload to DigiCert can contain any value and the returned signed certificate will have the correct EV/OV name that has been approved.

Answer 1

If you're using the ca tool ( openssl ca ) to operate your CA then you can use the -subj option to override the Subject within the request:

-subj arg
supersedes subject name given in the request. The arg must be formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \\ (backslash), no spaces are skipped.

Combined the with the following option(s) to configure the extensions (including Subject Alternate Name), you should be able to modify all the attributes and extensions:

-extensions section
the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used). If no extension section is present then, a V1 certificate is created. If the extension section is present (even if it is empty), then a V3 certificate is created. See the x509v3_config(5) manual page for details of the extension section format.

and, possibly:

-extfile file
an additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used).