On Monday 19 Dec 2011 06:45:13 Mick wrote: > On Sunday 18 Dec 2011 18:10:55 Mick wrote: > > On Friday 16 Dec 2011 18:31:01 you wrote: > > > Le 16/12/2011 18:45, Mick a écrit : > > > [...] > > > > > > > Since I cannot change the router firmware, what should I change the > > > > 'string_mask = ' on the PC to agree with the router? > > > > > > My understanding is that string_mask is used when producing an object > > > (request or certificate), not when checking its content with the policy > > > match directives. > > > > That's fine as far as openssl usage is concerned, but when the standalone > > router compares the client certificate submitted to it, it fails with a > > malformed type error (16). So, I'm led to believe that I should try > > creating a CA that uses a default string_mask to align that with the way > > the router parses the RDNs and sign both router and client certificates > > with it. > > > > > You could either regenerate your CA with string_mask set to "default" > > > (which means: first try "PrintableString", then "T61String", then > > > "BMPString"). Your router uses PrintableString for pretty much anything > > > except commonName, which is encoded in T61String. That could work. > > > > Perhaps I am being dense ... but I can't find which section I should be > > specifying this option under, in the openssl.cnf file. I tried placing > > it under [ req ] as well as other sections and the produced cacert > > Subject fields always get encoded it in utf8 (except for Country which > > stays as PrintableString) :( > > Oops! Scratch that! I had forgotten to point it to the correct > openssl.cnf file! O_O > > OK, I'm almost there ... the only difference now between the router and my > PKI is the commonName. The router has T61String while my cacert comes out > as PrintableString. How can I change a single RDN?
Aha! Just tried signing the CSR and the commonName is actually created as a T61String! Thank you very much for your help and sorry for the noise. :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
