On Friday 16 Dec 2011 17:27:42 you wrote:
> On 12/16/2011 6:14 PM, Erwann Abalea wrote:
> > Le 16/12/2011 17:57, Mick a écrit :
> >> On Friday 16 Dec 2011 16:23:52 you wrote:
> >>> man req
> >>> Then look for the "-utf8" argument.
> >>>
> >>> I took your example below, added "-utf8" argument, and it worked.
> >>> You can display the content with "openssl req -text -noout -in
> >>> blabla.pem -nameopt multiline,utf8,-esc_msb"
> >>
> >> Would using -utf8 resolve the original OP problem?
> >
> > To create the request/certificate, yes.
> > This is what I do to embed accented characters in UTF8.
> >
> > Typing
> >
> > openssl req -utf8 -new -nodes -newkey rsa:512 -keyout THORSTROM.key
> > -out THORSTROM.csr -subj "/O=ESBJÖRN.com/OU=Esbjörn-Thörstrom
> > Group/CN=Áki Thörstrom"
> >
> > on an UTF8 capable terminal, with a "string_mask = utf8only" in the
> > right openssl.cnf file, gives me a certificate request correctly
> > encoded in UTF8 with the wanted characters in the DN.
>
> Sorry, but OP's problem seems to be that the CSR was created by "some
> software embedded in a router", which presumably would not allow him
> to set OpenSSL command line options, OpenSSL config file options or
> even the terminal type, even if the software in the router happened to
> be built around OpenSSL.
>
> OPs problem is that the OpenSSL ca command is being overly strict in
> its handling of policy constraints on DN name components, rejecting
> alternative encodings of the same name with a meaningless error
> message ("foo" does not match "foo") rather than accept those.Indeed, the message was rather esoteric and it did not offer a way out - e.g. it could have advised to change "match" to "supplied" in openssl.cnf, or to ensure that the encoding between the CSR and ca is the same. I think what confused me is that by uploading the cacert to the router I would expect the router to respect the cacert's encodings. It evidently did not. Since I cannot change the router firmware, what should I change the 'string_mask = ' on the PC to agree with the router? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
