Yet openssl verify said OK to both of my certificates against the CA certificate... so is it incorrectly neglecting to compare the types when it tries to build the chain of certificates?
Charles A. Barbe Senior Software Engineer Allworx, a Windstream company 245 East Main St | Rochester NY | 14604 charles.ba...@allworx.com | 585.421.5565 ________________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jeffrey Walton [noloa...@gmail.com] Sent: Tuesday, July 08, 2014 4:19 PM To: OpenSSL Users List Subject: Re: Certificate problem - SOLVED On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles <charles.ba...@allworx.com> wrote: > I figured it out and am now wondering if there is a defect in the openssl > verify command. This suggestion from Dave Thompson: > I would first try x509 -noout -subject|issuer -nameopt multiline,show_type > and see if that helps. > Pointed me in the right direction. What i found was that Issuer for > certificate A, which was the one that was NOT working, looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertA.pem > issuer= > countryName = UTF8STRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName = UTF8STRING:view > While the issuer for certificate B and subject for my CA looked like this: > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CertB.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName = UTF8STRING:view > [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt > multiline,show_type -in CA.pem > issuer= > countryName = PRINTABLESTRING:US > stateOrProvinceName = UTF8STRING:New York > organizationName = UTF8STRING:Allworx Corp, a Windstream Company > commonName = UTF8STRING:view > So it looks like openssl verify is not taking the type of countryName into > account while the browsers are. Is this expected behavior or a defect? > Not sure if this is any consolation, but countryName is a DirectoryString, and PrintableString is OK per RFC 5280 (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) } However, there is the following on page 23: When encoding attribute values of type DirectoryString, conforming CAs MUST use PrintableString or UTF8String encoding, with the following exceptions: (a) When the subject of the certificate is a CA, the subject field MUST be encoded in the same way as it is encoded in the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. Thus, if the subject CA encodes attributes in the issuer fields of certificates that it issues using the TeletexString, BMPString, or UniversalString encodings, then the subject field of certificates issued to that CA MUST use the same encoding. So the DirectoryString must be the same type. You can't make it utf8String in the server certificate's issuer and PrintableString in the CA's subject. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
