i sent this to -users a few days ago, but perhaps the people who know
the answer only hang around on -dev...?
rj
--- Begin Message ---
when i create a client certificate using a mozilla browser, a CGI script
generates an SPKAC file for use with `openssl ca -spkac infile`.
the DN then becomes of ASN.1 type T61STRING which is encoded illegally,
which the openssl documentation admits:
<quote src="http://www.openssl.org/docs/apps/req.html";>
BUGS
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats
them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause
problems if you need characters that aren't available in PrintableStrings and you
don't want to or can't use BMPStrings.
As a consequence of the T61String handling the only correct way to represent accented
characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes
on these. If you have to use accented characters with Netscape and MSIE then you
currently need to use the invalid T61String form.
</quote>
what does an SPKAC file have to look like so that the DN turns up encoded
as ASN.1 BMPString?
the req command has a -utf8 option, but it doesn't read SPKAC files,
so i can't use it to turn the SPKAC file into PKCS#10.
the spkac command hasn't got any -utf8 option.
is there any other way to generate a correctly encoded non-ASCII DN for
a mozilla client?
rj
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--- End Message ---
