On Sunday 18 Dec 2011 18:10:55 Mick wrote: > On Friday 16 Dec 2011 18:31:01 you wrote: > > Le 16/12/2011 18:45, Mick a écrit : > > [...] > > > > > Since I cannot change the router firmware, what should I change the > > > 'string_mask = ' on the PC to agree with the router? > > > > My understanding is that string_mask is used when producing an object > > (request or certificate), not when checking its content with the policy > > match directives. > > That's fine as far as openssl usage is concerned, but when the standalone > router compares the client certificate submitted to it, it fails with a > malformed type error (16). So, I'm led to believe that I should try > creating a CA that uses a default string_mask to align that with the way > the router parses the RDNs and sign both router and client certificates > with it. > > > You could either regenerate your CA with string_mask set to "default" > > (which means: first try "PrintableString", then "T61String", then > > "BMPString"). Your router uses PrintableString for pretty much anything > > except commonName, which is encoded in T61String. That could work. > > Perhaps I am being dense ... but I can't find which section I should be > specifying this option under, in the openssl.cnf file. I tried placing it > under [ req ] as well as other sections and the produced cacert Subject > fields always get encoded it in utf8 (except for Country which stays as > PrintableString) :(
Oops! Scratch that! I had forgotten to point it to the correct openssl.cnf file! O_O OK, I'm almost there ... the only difference now between the router and my PKI is the commonName. The router has T61String while my cacert comes out as PrintableString. How can I change a single RDN? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
