On Tue, Jul 8, 2014 at 3:39 PM, Barbe, Charles
<charles.ba...@allworx.com> wrote:
> I figured it out and am now wondering if there is a defect in the openssl
> verify command. This suggestion from Dave Thompson:
> I would first try x509 -noout -subject|issuer -nameopt multiline,show_type
> and see if that helps.
> Pointed me in the right direction. What i found was that Issuer for
> certificate A, which was the one that was NOT working, looked like this:
> [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt
> multiline,show_type -in CertA.pem
> issuer=
> countryName = UTF8STRING:US
> stateOrProvinceName = UTF8STRING:New York
> organizationName = UTF8STRING:Allworx Corp, a Windstream Company
> commonName = UTF8STRING:view
> While the issuer for certificate B and subject for my CA looked like this:
> [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt
> multiline,show_type -in CertB.pem
> issuer=
> countryName = PRINTABLESTRING:US
> stateOrProvinceName = UTF8STRING:New York
> organizationName = UTF8STRING:Allworx Corp, a Windstream Company
> commonName = UTF8STRING:view
> [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt
> multiline,show_type -in CA.pem
> issuer=
> countryName = PRINTABLESTRING:US
> stateOrProvinceName = UTF8STRING:New York
> organizationName = UTF8STRING:Allworx Corp, a Windstream Company
> commonName = UTF8STRING:view
> So it looks like openssl verify is not taking the type of countryName into
> account while the browsers are. Is this expected behavior or a defect?
>
Not sure if this is any consolation, but countryName is a
DirectoryString, and PrintableString is OK per RFC 5280
(http://tools.ietf.org/html/rfc5280#section-4.1.2.6):
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1..MAX)),
bmpString BMPString (SIZE (1..MAX)) }
However, there is the following on page 23:
When encoding attribute values of type DirectoryString, conforming
CAs MUST use PrintableString or UTF8String encoding, with the
following exceptions:
(a) When the subject of the certificate is a CA, the subject
field MUST be encoded in the same way as it is encoded in the
issuer field (Section 4.1.2.4) in all certificates issued by
the subject CA. Thus, if the subject CA encodes attributes
in the issuer fields of certificates that it issues using the
TeletexString, BMPString, or UniversalString encodings, then
the subject field of certificates issued to that CA MUST use
the same encoding.
So the DirectoryString must be the same type. You can't make it
utf8String in the server certificate's issuer and PrintableString in
the CA's subject.
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
