So I have the following command to generate a CSR with fancy subject:
% keytool -certreq \
-dname "emailAddress=${email_address}, CN=${artifact}, OU=Dev, O=Pany, C=UK" \
-alias ${artifact} -file ${artifact}.csr -keypass ${pwd} -keystore ${artifact}.jks -storepass ${pwd}
% openssl x509 -text -in ${artifact}.csr
Subject: C = UK, O = AbbeyCross, OU = Dev, CN = alamar, emailAddress = [email protected]
But then I sign it with openssl ca and end up with a certificate that has truncated subject
% openssl ca -config ca/${ca_name}.cnf \
-startdate ${startdate} -enddate ${enddate} \
-batch -out ${artifact}.pem -infiles ${artifact}.csr
% openssl x509 -text -in ${artifact}.pem | grep Subject
Subject: CN = alamar
Note how all the fancy fields from Subject, such as e-mail, are gone.
Where did they go? How do I bring them back? openssl ca manpage is mostly useless. I can see there is an option -noemailDN, but it does not explain why OU and O also evaporated from Subject. I also know there's -subj but it would require re-encoding the same stuff into a different format for no apparent reason, and does not explain where the Subject went in the first place.