On 16-07-2010 12:40, Christian Hohnstaedt wrote:
On Fri, Jul 16, 2010 at 10:50:02AM +0100, Alexander Fisher wrote:
Hi
I've very recently decided to create my own Cert Authority in order to
produce certificates to replace all the built in self-signed ones on
devices such as routers,switches etc.
I'm having problems with the certificate signing requests generated by
Dell iDRAC6 management interfaces. The hostname is quite long and the
FQDN totals 57 characters. The last 7 or so characters are being
chopped off from the CSR.
RFC3280 says the maximum length of the common name should be 64.
But not every implementation respects it. OpenSSL does.
And it throws an error if the limit is exceeded.
While RFC3280 may be repeating this limit (which appears to be a
historic X.400 directory holdover), this particular limit has always
been a bad idea to enforce or implement at all:
1. For the original/historic use of this element holding a natural
persons full name (as listed in a phone directory, hence the
CCITT/ITU-T standardization interest), the problem is that many
people around the world have full names exceeding this arbitrary
limit.
2. For the common SSL use of placing the fully qualified domain name of
a server in this element (rather than the official SubjectAltName
element), a 64 character limit conflicts rather harshly with the DNS
limit of 63 characters between each dot. Thus a perfectly valid DNS
name such as
www.llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.co.uk
could easily exceed this limit.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
