OK, Jakob - will try this. Tks for the feedback. (Seems we'd tried the 'utf8'
option inline already, but will try again). and my 'read' of the -nameopt
multiline config was that utf8 would be included, in absence of its specific
de-activation, such as with the -utf8 command.
Lou Picciano
----- Original Message -----
From: "Jakob Bohm" <jb-open...@wisemo.com>
To: openssl-users@openssl.org
Sent: Friday, December 16, 2011 12:27:42 PM
Subject: Re: [openssl-users] Re: stateOrProvinceName field problem when signing
CSR
On 12/16/2011 6:14 PM, Erwann Abalea wrote:
> Le 16/12/2011 17:57, Mick a écrit :
>> On Friday 16 Dec 2011 16:23:52 you wrote:
>>> man req
>>> Then look for the "-utf8" argument.
>>>
>>> I took your example below, added "-utf8" argument, and it worked.
>>> You can display the content with "openssl req -text -noout -in
>>> blabla.pem -nameopt multiline,utf8,-esc_msb"
>> Would using -utf8 resolve the original OP problem?
>
> To create the request/certificate, yes.
> This is what I do to embed accented characters in UTF8.
>
> Typing
>
> openssl req -utf8 -new -nodes -newkey rsa:512 -keyout THORSTROM.key
> -out THORSTROM.csr -subj "/O=ESBJÖRN.com/OU=Esbjörn-Thörstrom
> Group/CN=Áki Thörstrom"
>
> on an UTF8 capable terminal, with a "string_mask = utf8only" in the
> right openssl.cnf file, gives me a certificate request correctly
> encoded in UTF8 with the wanted characters in the DN.
Sorry, but OP's problem seems to be that the CSR was created by "some
software embedded in a router", which presumably would not allow him
to set OpenSSL command line options, OpenSSL config file options or
even the terminal type, even if the software in the router happened to
be built around OpenSSL.
OPs problem is that the OpenSSL ca command is being overly strict in
its handling of policy constraints on DN name components, rejecting
alternative encodings of the same name with a meaningless error
message ("foo" does not match "foo") rather than accept those.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
