Quick technical FAQ as it has just taken me over 2 hours to find out how to do this…
When generating a CSR (Certificate Signing Request) for an EV (Extended Validation) certificate there are some required fields. These required fields are very well documented (probably too well) and the problem you will find is trying to generate the EV request often fails with:
Subject Attribute businessCategory has no known NID, skipped
problems making Certificate Request
5478:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_mbstr.c:154:maxsize=2
The solution is to add the oid for businessCategory, some documentation will indicate that this is possible by just using the oid in the subject… Forget it, it doesn’t work. The correct solution is modify your openssl.cnf file ( /usr/local/etc/openssl.cnf /etc/ssl/openssl.cnf and /etc/openssl.cnf are common locations.)
Under the section “new_oids” (create one if it doesn’t exist) add the following:
[ new_oids ]
businessCategory=2.5.4.15
streetAddress=2.5.4.9
stateOrProvinceName=2.5.4.8
countryName=2.5.4.6
jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
Then you can use the following command to generate the CSR and a new key for the server:
openssl req -new -newkey rsa:2048 -out ev-key.csr -subj ‘/CN=<webserver name eg www.michellesullivan.org/O=My Company Ltd/businessCategory=V1.0, Clause 5.(b)/jurisdictionOfIncorporationCountryName=<country code of registration of ‘My Company Ltd’/C=<country>/streetAddress=<business address>/ST=<state>/serialNumber=<company incorporation number for “My Company Ltd”>’
Note: because braces are used you need to use single quotes to surround the subject, also EV certificates cannot be issued to WildCard CNs so don’t waste your time.