What does plus (+) sign mean in openssl output Subject line?

Question

I'm trying to self-sign an SSL certificate for testing purpose, where I need to match the subject of a real world certificate with a special subject line.

The certificates have a special UID attribute in their subject. For example if I inspect the certificate with openssl:

openssl x509 -in customer/1.user_cert.der -inform der -noout -text

Then in the output I can see a subject line like this:

        Subject: C = XX, CN = JOHN SMITH + UID = 123

Normally in the Subject, the comma , separates different fields, but here the CN and UID are separated by +.

I think the + is not part of CN because, if I try to self-create a certificate with CN = JOHN + UID=123 then the -text output would show quotes (") to indicate the boundaries of the CN like CN = "JOHN + UID=123".

So what does this + mean in the subject line? How is it entered into a certificate request with openssl?

Answer 1

It's a "Multivalue-RDN".

When creating a certificate request with multivalued RDN, -multivalue-rdn parameter must be given to the openssl command.

Example:

openssl req -new -sha256 -key user.key -multivalue-rdn -subj '/C=XX/CN=JOHN SMITH+UID=123/' -out user.csr

Reference:

https://www.openssl.org/docs/man1.0.2/man1/req.html

-multivalue-rdn

this option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example:

/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe

If -multi-rdn is not used then the UID value is 123456+CN=John Doe.