Hello,
I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. OpenSSL is
configured as follows:
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
All the strings that my certificate contains are UTF8String, but when trying to
sign it with OpenSSL CA, it returns the following mismatch error:
The countryName field needed to be the same in the CA certificate <DE> and the
request <DE>
When parsing the OpenSSL CA certificate, I found out the countryName field is
coded as PrintableString, while in my certificate is coded as UTF8String, hence
the error. The rest of the string fields are coded as UTF8String in both the CA
certificate and the request.
My question here is, if OpenSSL string_mask is configured as utf8only, why is
the countryName field coded as PrintableString? Shouldn´t all fields be coded
as UTF8String? Perhaps I misunderstood the meaning and use of the string_mask,
so I would greatly appreciate if you could explain to me whether this is a bug
or just correct behaviour.
Thanks a lot in advance for your help.
Best regards,
Joseba Gil
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
