X.509 certificate DN, character set

Fri, 01 Apr 2011 13:03:12 -0700 

Dear all,

I'm trying to create an X.509 certificate whose subject/issuer name
contains an ampersand & character. OpenSSL is encoding this as
T61String/TeletexString. I understand how this decision is made in
ASN1_mbstring_ncopy().

Reading RFC3280, section 4.1.2.4 says about DNs

"... and all certificates issued after December 31, 2003 MUST use the
UTF8String encoding of DirectoryString ..."

Is there a mismatch between OpenSSL and RFC3280 or am I misunderstanding
something?

Best regards,

   Martin


------------------
kaiser@host:~ > openssl req -new -newkey rsa:384 -nodes -keyout test.key -x509 
-outform der -out cert.der
Generating a 384 bit RSA private key
...............++++++++++++++++++
.......++++++++++++++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:a&b
Locality Name (eg, city) []:c&d
Organization Name (eg, company) [Internet Widgits Pty Ltd]:äää
Organizational Unit Name (eg, section) []:üüü
Common Name (eg, YOUR name) []:ööößßß
Email Address []:

kaiser@host:~ > dumpasn1 cert.der
   0  575: SEQUENCE {
...
  39   86:     SEQUENCE {
  41   11:       SET {
  43    9:         SEQUENCE {
  45    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
  50    2:           PrintableString 'DE'
         :           }
         :         }
  54   12:       SET {
  56   10:         SEQUENCE {
  58    3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
  63    3:           TeletexString 'a&b'
         :           }
         :         }
  68   12:       SET {
  70   10:         SEQUENCE {
  72    3:           OBJECT IDENTIFIER localityName (2 5 4 7)
  77    3:           TeletexString 'c&d'
         :           }
         :         }
  82   12:       SET {
  84   10:         SEQUENCE {
  86    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
  91    3:           TeletexString 'äää'
         :           }
         :         }
...


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to