On Friday 16 Dec 2011 17:27:42 you wrote: > On 12/16/2011 6:14 PM, Erwann Abalea wrote: > > Le 16/12/2011 17:57, Mick a écrit : > >> On Friday 16 Dec 2011 16:23:52 you wrote: > >>> man req > >>> Then look for the "-utf8" argument. > >>> > >>> I took your example below, added "-utf8" argument, and it worked. > >>> You can display the content with "openssl req -text -noout -in > >>> blabla.pem -nameopt multiline,utf8,-esc_msb" > >> > >> Would using -utf8 resolve the original OP problem? > > > > To create the request/certificate, yes. > > This is what I do to embed accented characters in UTF8. > > > > Typing > > > > openssl req -utf8 -new -nodes -newkey rsa:512 -keyout THORSTROM.key > > -out THORSTROM.csr -subj "/O=ESBJÖRN.com/OU=Esbjörn-Thörstrom > > Group/CN=Áki Thörstrom" > > > > on an UTF8 capable terminal, with a "string_mask = utf8only" in the > > right openssl.cnf file, gives me a certificate request correctly > > encoded in UTF8 with the wanted characters in the DN. > > Sorry, but OP's problem seems to be that the CSR was created by "some > software embedded in a router", which presumably would not allow him > to set OpenSSL command line options, OpenSSL config file options or > even the terminal type, even if the software in the router happened to > be built around OpenSSL. > > OPs problem is that the OpenSSL ca command is being overly strict in > its handling of policy constraints on DN name components, rejecting > alternative encodings of the same name with a meaningless error > message ("foo" does not match "foo") rather than accept those.
Indeed, the message was rather esoteric and it did not offer a way out - e.g. it could have advised to change "match" to "supplied" in openssl.cnf, or to ensure that the encoding between the CSR and ca is the same. I think what confused me is that by uploading the cacert to the router I would expect the router to respect the cacert's encodings. It evidently did not. Since I cannot change the router firmware, what should I change the 'string_mask = ' on the PC to agree with the router? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.