I have performed such test last week - yes, it is not OpenCA problem, it is OpenSSL issue. Openssl mailing list haven't answered me about 64 char limitations, so I'm realy stuck now and do not know what to do.
Unfortunately I can't ask my client to shorten it's organization name, because by the rule I must include in O= exact name from organization registration documents. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Nicolas MASSE > Sent: Monday, July 24, 2006 3:58 PM > To: Ideas, tips and discussions about OpenCA installation and > management. > Subject: Re: [Openca-Users] two O= in DN (O=AAA,O=BBB or > O=AAA+O=BBB ???) > > On 15:33 Mon 24 Jul , Dmitrij Mironov wrote: > > Thank you Nicolas for very clear and detailed answer, I'm > very appreciated. > > > > Unfortunately it didn't saves me ;o( Is it realy not > possible to put > > more than 64 characters in O= field? > > It seems not to be a limitation of OpenCA. You can test it with : > > $ echo -n '/C=US/O=' > subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo -n 0123456789 >> subject.txt > $ echo '/OU=MyOU/CN=test' >> subject.txt $ openssl req -x509 > -newkey rsa:512 -noout -nodes -subj "$(cat subject.txt)" > > You should obtain something like this : > Generating a 512 bit RSA private key > ...++++++++++++ > ..++++++++++++ > writing new private key to 'privkey.pem' > ----- > problems making Certificate Request > 19296:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy: > string too long:a_mbstr.c:154:maxsize=64 > > > So, the questions are : Is it a limitation of the ASN1 format ? of the > X509 certificates ? of OpenSSL ? > > Maybe does somebody else know more about that ? Maybe on the > OpenSSL mailing list ? > > If you get the answer, don't forget to post it here ! > > Nicolas. > > PS : If it's a limitation of the X509 certificates, just asks > your client to shorten its name, your concurrents would have > done the same ! > > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
