[openssl-users] Creating multi-valued RDN with config (still not working)

Sean Leonard dev+openssl at seantek.com
Sat Jun 18 17:43:51 UTC 2016

I am trying to create a multi-valued RDN with OpenSSL using a config 
file and the openssl req -x509 command, without success.

According to the 2006 thread "Multi-value RDNs and openssl.cnf format" 
one is supposed to do this by prefixing the keys in the 
distinguished_name section with "+" on subsequent entries to add to a 
multi-valued RDN, such as:

ST = California
+L = Los Angeles

Unfortunately, that (still) does not work. The error from openssl req 
-x509 (etc.) is:

problems making Certificate Request
30008:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:.\crypto\asn1\a_object.c:109:
30008:error:0B083077:x509 certificate 
routines:X509_NAME_ENTRY_create_by_txt:invalid field 

I was successful at making a multi-valued RDN with the -multivalue-rdn 
and -subj options, but that is not as versatile/scriptable. Any ideas?


PS It looks like it may be related to the behavior in auto_info (req.c) 
X509_NAME_add_entry_by_txt (x509name.c), in particular, the relationship 
between the variables mval, type, and p in auto_info (req.c). Could be a 

More information about the openssl-users mailing list