The countryName field is a PrintableString, that's mandatory (see X.520). It also MUST be 2 characters long, but that's not enforced by OpenSSL.
-- Erwann ABALEA Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit : > Hello, > > I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. OpenSSL is > configured as follows: > > # This sets a mask for permitted string types. There are several options. > # default: PrintableString, T61String, BMPString. > # pkix : PrintableString, BMPString (PKIX recommendation before 2004) > # utf8only: only UTF8Strings (PKIX recommendation after 2004). > # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). > # MASK:XXXX a literal mask value. > # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. > string_mask = utf8only > > All the strings that my certificate contains are UTF8String, but when trying > to sign it with OpenSSL CA, it returns the following mismatch error: > > The countryName field needed to be the same in the CA certificate <DE> and > the request <DE> > > When parsing the OpenSSL CA certificate, I found out the countryName field is > coded as PrintableString, while in my certificate is coded as UTF8String, > hence the error. The rest of the string fields are coded as UTF8String in > both the CA certificate and the request. > > My question here is, if OpenSSL string_mask is configured as utf8only, why is > the countryName field coded as PrintableString? Shouldn´t all fields be coded > as UTF8String? Perhaps I misunderstood the meaning and use of the > string_mask, so I would greatly appreciate if you could explain to me whether > this is a bug or just correct behaviour. > > Thanks a lot in advance for your help. > > Best regards, > Joseba Gil > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org