On Wed, Mar 15, 2006, Tom Horstmann wrote:
> Dear members,
>
> out customer sent a pkcs#7 certification request to his CA containing the DN
>
> [ req_distinguished_name ]
> C=DE
> O=ITSG TrustCenter fuer Arbeitgeber
> 0.OU=Braukmann Personalmanagement GmbH
> 1.OU=BN13538740
> CN=Andrea Degler-Scheel
>
> After processing the request the CA told him the DN was
>
> C=DE
> O=ITSG TrustCenter fuer Arbeitgeber
> OU={T.61/Latin-1}Braukmann Personalmanagement GmbH
> OU=BN13538740
> CN=Andrea Degler-Scheel
>
> See the difference in OU.1? {T.61/Latin-1}
> Can someone explain me what this string is for? I know it deals with
> character sets.
>
> The CA rejects the request as it contains unpermitted chars ({}).
> Our customer did sent 3 requests now of which none was processed without the
> problem occuring. So i have to prove now that the string was not in the file
> when it was sent to the CA and was included later when processed by
> the CA.
>
> I created a self-signed certificate on the request which does not
> contain the string. I also checked the decoded request-file the customer
> did sent. The string is not in there.
>
> I sent the decoded request to the CA. The reply was, it couldn't be their
> problem as they correctly process more than 10000 requests a month. I should
> ask my software vendor. I do so now:)
> Does someone know a simple reason why that string is put in the DN while
> proessing a certification-request?
>
> Just to let google know about that CA: ITSG Trustcenter.
>
It would help if you posted the certificate request or at least tried this:
openssl req -in req.pem -noout -subject -nameopt multiline,show_type
if it shows a T61 in there then the CA may not like T61Strings. OpenSSL will
use a T61 if it is configured to and if the characters used require it. If
there is an "international" character in there (MSB set in ISO8859-1 character
set) then that is the cause.
The use of T61s is now discouraged and newer software uses UTF8Strings instead
which the latest OpenSSL config files use. If you change the line in
openssl.cnf which begins "string_mask" to:
string_mask = utf8only
it will use UTF8Strings for everything. Then generate a new request and see
what the result is.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
