I tried to generate a CSR using the crypto / x509 package and did not find a way to add the emailAddress field to my Subject.
According to the CertificateRequest documentation, the structure has the field "EmailAddresses []", but it is serialized into the SAN extension. Here is the test code I used: http://play.golang.org/p/OtObaTyuTM
I also created a CSR using the "openssl req" program and compared the results:
% openssl req -in openssl.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=AU, ST=Some-State, L=MyCity, O=Company Ltd, OU=IT, CN=domain.com/ emailAddress=test@email.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:a3:05:e3:37:63:f9:8b:d0:37:46:2d:a8:d9:26: 4e:be:83:1d:b9:30:88:2b:80:4b:53:cc:7c:01:86: b0:9b:1d:3b:0a:05:c4:56:47:4e:5d:90:f9:5a:29: 8b:9a:7f:fa:4b:5e:e4:5d:dd:c6:8b:87:33:c4:b4: fa:6b:b4:67:bd Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 0b:24:6e:0a:f9:bf:23:d7:41:5f:96:da:78:d1:99:18:fb:d6: 71:7e:79:f0:02:e9:8a:50:a9:00:32:df:26:14:2f:f4:3e:c4: 22:c9:5c:4e:79:c1:c2:22:1b:2a:da:79:6f:51:ba:8a:12:63: 27:02:4a:b3:22:97:59:f7:6e:d6 =============================================================== % openssl req -in golang.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=AU, O=Company Ltd, OU=IT, L=MyCity, ST=Some-State, CN=domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:ac:b6:51:5b:53:44:44:20:91:da:01:45:72:49: 95:83:78:74:7c:05:f9:a7:77:88:02:3a:23:5f:04: c3:69:45:b9:5a:bb:fd:e7:d3:24:5f:46:14:b8:7d: 30:ce:a0:c6:ea:e3:3b:ec:4c:75:24:cc:ce:60:1d: e9:33:57:ae:21 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: email: test@email.com Signature Algorithm: sha256WithRSAEncryption a1:c1:b7:80:a0:f0:c3:b6:44:06:f4:ad:12:3a:67:19:fa:84: 34:22:2a:d9:56:d9:8b:c9:a4:d0:cf:8d:a1:36:87:fa:75:b7: 05:40:0a:15:1f:72:61:85:a8:09:bc:f4:13:e6:24:5e:2e:b7: 99:e3:93:53:4e:2d:d5:0c:22:fc
In my opinion, I have to build the RawSubject field myself using emainAddress oid, but I have not found any code examples. UPD: I found a solution. As I mentioned above, the RawSubject field must be prepared manually:
subj := pkix.Name{ CommonName: cn, Country: []string{c}, Organization: []string{o}, OrganizationalUnit: []string{ou}, Locality: []string{l}, Province: []string{s}, } rawSubj := subj.ToRDNSequence() rawSubj = appendRDNs(rawSubj, []string{e}, oidEmailAddress) asn1Subj, err := asn1.Marshal(rawSubj) template := x509.CertificateRequest{ RawSubject: asn1Subj, SignatureAlgorithm: x509.SHA1WithRSA, }
Where:
- var oidEmailAddress = asn1.ObjectIdentifier {1, 2, 840, 113549, 1, 9, 1}
- appendRDNs () is defined in crypto / x509 / pkix (since its name does not start with a capital letter, it is not exported by default. You can simply define it again as your own copy and paste function).