Hello, I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. OpenSSL is configured as follows:
# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only All the strings that my certificate contains are UTF8String, but when trying to sign it with OpenSSL CA, it returns the following mismatch error: The countryName field needed to be the same in the CA certificate <DE> and the request <DE> When parsing the OpenSSL CA certificate, I found out the countryName field is coded as PrintableString, while in my certificate is coded as UTF8String, hence the error. The rest of the string fields are coded as UTF8String in both the CA certificate and the request. My question here is, if OpenSSL string_mask is configured as utf8only, why is the countryName field coded as PrintableString? Shouldn´t all fields be coded as UTF8String? Perhaps I misunderstood the meaning and use of the string_mask, so I would greatly appreciate if you could explain to me whether this is a bug or just correct behaviour. Thanks a lot in advance for your help. Best regards, Joseba Gil ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org