since the beginning of this year RFC 3280 requires all subject and issuer fields in PKIX-compliant certificates to be encoded as utf8string. Now I tried to setup a compliant CA with openssl but it still encodes the domainComponent parts of the subject and issuer as ia5string even if I have string_mask=utf8only in the "[ req ]" section of my config file. Following is the relevant output from asn1parse:
....
31:d=2 hl=2 l= 70 cons: SEQUENCE
33:d=3 hl=2 l= 19 cons: SET
35:d=4 hl=2 l= 17 cons: SEQUENCE
37:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
49:d=5 hl=2 l= 3 prim: IA5STRING :com
54:d=3 hl=2 l= 22 cons: SET
56:d=4 hl=2 l= 20 cons: SEQUENCE
58:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
70:d=5 hl=2 l= 6 prim: IA5STRING :rentec
78:d=3 hl=2 l= 23 cons: SET
80:d=4 hl=2 l= 21 cons: SEQUENCE
82:d=5 hl=2 l= 3 prim: OBJECT :commonName
87:d=5 hl=2 l= 14 prim: UTF8STRING
0000 - 52 65 6e 61 69 73 73 61-6e 63 65 20 43 41 Renaissance CA
103:d=2 hl=2 l= 30 cons: SEQUENCE
....
As you can see the commonName is encoded as utf8string but the domainComponents are ia5strings.
How can I generate a RFC3280-compliant certificate with openssl and this subject (cn=Renaissance CA,dc=rentec,dc=com)?
Karsten.
smime.p7s
Description: S/MIME Cryptographic Signature
