On Friday 16 Dec 2011 18:31:01 you wrote: > Le 16/12/2011 18:45, Mick a écrit : > [...]
> > Since I cannot change the router firmware, what should I change the > > 'string_mask = ' on the PC to agree with the router? > > My understanding is that string_mask is used when producing an object > (request or certificate), not when checking its content with the policy > match directives. That's fine as far as openssl usage is concerned, but when the standalone router compares the client certificate submitted to it, it fails with a malformed type error (16). So, I'm led to believe that I should try creating a CA that uses a default string_mask to align that with the way the router parses the RDNs and sign both router and client certificates with it. > You could either regenerate your CA with string_mask set to "default" > (which means: first try "PrintableString", then "T61String", then > "BMPString"). Your router uses PrintableString for pretty much anything > except commonName, which is encoded in T61String. That could work. Perhaps I am being dense ... but I can't find which section I should be specifying this option under, in the openssl.cnf file. I tried placing it under [ req ] as well as other sections and the produced cacert Subject fields always get encoded it in utf8 (except for Country which stays as PrintableString) :( -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.