OK, Jakob - will try this. Tks for the feedback. (Seems we'd tried the 'utf8' option inline already, but will try again). and my 'read' of the -nameopt multiline config was that utf8 would be included, in absence of its specific de-activation, such as with the -utf8 command.
Lou Picciano ----- Original Message ----- From: "Jakob Bohm" <[email protected]> To: [email protected] Sent: Friday, December 16, 2011 12:27:42 PM Subject: Re: [openssl-users] Re: stateOrProvinceName field problem when signing CSR On 12/16/2011 6:14 PM, Erwann Abalea wrote: > Le 16/12/2011 17:57, Mick a écrit : >> On Friday 16 Dec 2011 16:23:52 you wrote: >>> man req >>> Then look for the "-utf8" argument. >>> >>> I took your example below, added "-utf8" argument, and it worked. >>> You can display the content with "openssl req -text -noout -in >>> blabla.pem -nameopt multiline,utf8,-esc_msb" >> Would using -utf8 resolve the original OP problem? > > To create the request/certificate, yes. > This is what I do to embed accented characters in UTF8. > > Typing > > openssl req -utf8 -new -nodes -newkey rsa:512 -keyout THORSTROM.key > -out THORSTROM.csr -subj "/O=ESBJÖRN.com/OU=Esbjörn-Thörstrom > Group/CN=Áki Thörstrom" > > on an UTF8 capable terminal, with a "string_mask = utf8only" in the > right openssl.cnf file, gives me a certificate request correctly > encoded in UTF8 with the wanted characters in the DN. Sorry, but OP's problem seems to be that the CSR was created by "some software embedded in a router", which presumably would not allow him to set OpenSSL command line options, OpenSSL config file options or even the terminal type, even if the software in the router happened to be built around OpenSSL. OPs problem is that the OpenSSL ca command is being overly strict in its handling of policy constraints on DN name components, rejecting alternative encodings of the same name with a meaningless error message ("foo" does not match "foo") rather than accept those. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
