when i create a client certificate using a mozilla browser, a CGI script generates an SPKAC file for use with `openssl ca -spkac infile`. the DN then becomes of ASN.1 type T61STRING which is encoded illegally, which the openssl documentation admits:
<quote src="http://www.openssl.org/docs/apps/req.html";> BUGS OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren't available in PrintableStrings and you don't want to or can't use BMPStrings. As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. </quote> what does an SPKAC file have to look like so that the DN turns up encoded as ASN.1 BMPString? the req command has a -utf8 option, but it doesn't read SPKAC files, so i can't use it to turn the SPKAC file into PKCS#10. the spkac command hasn't got any -utf8 option. is there any other way to generate a correctly encoded non-ASCII DN for a mozilla client? rj ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
