By default (with the exception of OIDC provisioners), the `step` toolchain will use the <subject> as the Common Name for a certificate. At the time of writing this document (1/6/23), it is not possible to add Relative Distinguished Names (RDN) to a certificate's subject via the `step` CLI alone. To add such values (eg. C, L, O, OU, ...), one would have to use a custom certificate template.


Here is what a typical certificate template looks like. Notice that the "subject" is being set to`.Subject`. This is why the subject passed to the `step` CLI is automatically set as the Common Name for the certificate.

{
    "subject": {{ toJson .Subject }},
    "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
    "keyUsage": ["digitalSignature"],
{{- end }}
    "extKeyUsage": ["serverAuth", "clientAuth"]
}

.

If you would like to add other RDNs, you can update this value in the template like so:

{
  "subject": {
    "commonName": {{ toJson .Subject.CommonName }},
    "country": {{ toJson .Insecure.User.country }},
    "organization": {{ toJson .Insecure.User.organization }},
    "organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }}
  },
  "sans": {{ toJson .SANs }},
{{- if typeIs "*sa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
  "keyUsage": ["digitalSignature"],
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

In this example, we can generate a CSR by running:

# Where template.tpl is the template listed above
step certificate create "Test Certificate" test.csr test.key --csr template.tpl --set country=Canada --set organization=Company --set organizationalUnit=Engineering

# To sign the resulting CSR, you can run:
step ca sign test.csr test.crt

Alternatively, say you want to continue to use this template repeatedly. You can add it to your provisioner and issue certificates by running:

# Update the template on your provisioner where template.tpl is the template above:
step ca provisioner update <provisioner_name> --x509-template template.tpl

# Issue the certificate with the desired values:
step ca certificate "Test Certificate" test.crt test.key --set country=Canada --set organization=Company --set organizationalUnit=Engineering


If you need `emailAddress`

Since `emailAddress` is a deprecated type, you must use `extraNames` with the associated OID to add an email address to your subject:

# Explicitly setting the email address
{
  "subject": {
    "commonName": {{ toJson .Subject.CommonName }},
    "extraNames": [{"type":"1.2.840.113549.1.9.1", "value":"jane@example.com"}],
  },
  "sans": {{ toJson .SANs }},
{{- if typeIs "*sa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
  "keyUsage": ["digitalSignature"],
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

# Using a variable to set the email address
{
  "subject": {
    "commonName": {{ toJson .Subject.CommonName }},
    "extraNames": [{"type":"1.2.840.113549.1.9.1", .Insecure.User.email}],
  },
...
}