It looks like OpenSSL always shows "unsupported" for a subjectAltName of "otherName".
The string that was written (both via M2Crypto, and directly at the commandline via openssl.cnf): 1.2.3.4;UTF8:some other identifier Dumped (openssl x509 -in test.crt -noout -text): c3:88:36:93:82:58:0c:08:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption 05:76:d5:fc:d0:44:50:af:39:76:05:b4:cb:b6:99:9f:7c:c0: Grepping through the OpenSSL source for "otherName", this stood out to me (in v3_alt.c): 1: STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { unsigned char *p; char oline[256], htmp[5]; int i; switch (gen->type) { case GEN_OTHERNAME: X509V3_add_value("othername","<unsupported>", &ret); break; case GEN_X400: X509V3_add_value("X400Name","<unsupported>", &ret); break; case GEN_EDIPARTY: X509V3_add_value("EdiPartyName","<unsupported>", &ret); break; 2: int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) { unsigned char *p; int i; switch (gen->type) { case GEN_OTHERNAME: BIO_printf(out, "othername:<unsupported>"); break; case GEN_X400: BIO_printf(out, "X400Name:<unsupported>"); break; case GEN_EDIPARTY: /* Maybe fix this: it is supported now */ BIO_printf(out, "EdiPartyName:<unsupported>"); break; So, I'm willing to bet that both this and the empirical knowledge coming from my attempts above mean that I shouldn't ever expect that the "otherName" values will *ever* be properly rendered via the command-line or library calls. This might be because they're actual, encoded ASN.1 strings. So, how can I do it? How do people extract these values? If they are actual ASN.1 strings, is it up to the developer to decode them? Dustin