Hello, RFC3280 requires ALL DIRECTORY STRINGS to be encoded as UTF8 - this doesn't mean "all subject and issuer fields" but only those with syntax DirectoryString.
domaincomponent is defined as attribute with syntax IA5String - so openssl is correct. Regards, Jochen. > Hi, > > since the beginning of this year RFC 3280 requires all subject and > issuer fields in PKIX-compliant certificates to be encoded as > utf8string. Now I tried to setup a compliant CA with openssl but it > still encodes the domainComponent parts of the subject and issuer as > ia5string even if I have string_mask=utf8only in the "[ req ]" section > of my config file. Following is the relevant output from asn1parse: > > .... > 31:d=2 hl=2 l= 70 cons: SEQUENCE > 33:d=3 hl=2 l= 19 cons: SET > 35:d=4 hl=2 l= 17 cons: SEQUENCE > 37:d=5 hl=2 l= 10 prim: OBJECT :domainComponent > 49:d=5 hl=2 l= 3 prim: IA5STRING :com > 54:d=3 hl=2 l= 22 cons: SET > 56:d=4 hl=2 l= 20 cons: SEQUENCE > 58:d=5 hl=2 l= 10 prim: OBJECT :domainComponent > 70:d=5 hl=2 l= 6 prim: IA5STRING :rentec > 78:d=3 hl=2 l= 23 cons: SET > 80:d=4 hl=2 l= 21 cons: SEQUENCE > 82:d=5 hl=2 l= 3 prim: OBJECT :commonName > 87:d=5 hl=2 l= 14 prim: UTF8STRING > 0000 - 52 65 6e 61 69 73 73 61-6e 63 65 20 43 41 > Renaissance CA > 103:d=2 hl=2 l= 30 cons: SEQUENCE > .... > > As you can see the commonName is encoded as utf8string but the > domainComponents are ia5strings. > > How can I generate a RFC3280-compliant certificate with openssl and this > subject (cn=Renaissance CA,dc=rentec,dc=com)? > > > Karsten. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
