On Thu Mar 28 14:33:41 2013, joseb...@hotmail.com wrote: > Hello, > > I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. > OpenSSL is configured as follows: > > # This sets a mask for permitted string types. There are several > options. > # default: PrintableString, T61String, BMPString. > # pkix : PrintableString, BMPString (PKIX recommendation before 2004) > # utf8only: only UTF8Strings (PKIX recommendation after 2004). > # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). > # MASK:XXXX a literal mask value. > # WARNING: ancient versions of Netscape crash on BMPStrings or > UTF8Strings. > string_mask = utf8only > > All the strings that my certificate contains are UTF8String, but when > trying to sign it with OpenSSL CA, it returns the following > mismatch error: > > The countryName field needed to be the same in the CA certificate <DE> > and the request <DE> > > When parsing the OpenSSL CA certificate, I found out the countryName > field is coded as PrintableString, while in my certificate is coded > as UTF8String, hence the error. The rest of the string fields are > coded as UTF8String in both the CA certificate and the request. > > My question here is, if OpenSSL string_mask is configured as utf8only, > why is the countryName field coded as PrintableString? Shouldn´t > all fields be coded as UTF8String? Perhaps I misunderstood the > meaning and use of the string_mask, so I would greatly appreciate > if you could explain to me whether this is a bug or just correct > behaviour. >
The string_mask option only applies to DN fields of type DirectoryString which are a CHOICE of different string types. The countryName field can only be a PrintableString (see RFC5280 et al) . Coding it as any other string type violates the standards. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org