Viktor and others, thanks for the tips. I found that by using OpenSSL 1.0.1e I've been able to create the UTF8 format fields, such as:
71:d=5 hl=2 l= 3 prim: OBJECT :commonName 76:d=5 hl=2 l= 6 prim: UTF8STRING :Róót However, creating the subjectAltName is not following the same pattern. In the "root_dir_sect" I've assigned CN (and a custom OID) to the same value I've assigned to commonName in "root_ca_distinguished_name": [ new_oid_section ] myOIDSN = myOIDLongName, 1.2.3.4 [ root_ca_distinguished_name ] countryName = US stateOrProvinceName = MA commonName = Róót emailAddress = r...@abc.com organizationName = abc [ root_ca_extensions ] basicConstraints = CA:true subjectAltName = email:copy,URI: http://xyz.com.test/,dirName:root_dir_sect# [ root_dir_sect ] C = us O = abc OU = orgUnit CN = Róót 1.2.3.4 = Róót Using an ASN1 parsing tool I found that the commonName in Subject contains the C3B3 (accented o) I expected. However within subjectAltName, the dirName field the value is expanded to C3+83C2+B3 for each occurrence of "accented o". CN=Róót, 2.3.4=Róót I must have also assigned the custom OID incorrectly as the preceding 1. is truncated. Any comments are greatly appreciated. Thanks John Rasmussen IBM DataPower From: Viktor Dukhovni <openssl-us...@dukhovni.org> To: openssl-users@openssl.org, Date: 03/15/2013 12:06 PM Subject: Re: openssl-user - UTF8 characters in configuration file Sent by: owner-openssl-us...@openssl.org On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote: > I tried this some 2yrs ago what seemed to work (at least wins showed the > strings in cert correctly) > > in > [ req ] > ... > distinguished_name = req_distinguished_name > attributes = req_attributes > string_mask = utf8only > utf8 = yes FWIW with OpenSSL 1.0.1e just "string_mask" is sufficient, but "utf8" is neither sufficient nor necessary. $ cat foo.cnf [ req ] distinguished_name = dn prompt = no string_mask = utf8only [ dn ] countryName = US stateOrProvinceName = New York localityName = New York organizationName = Example Corp commonName = mail.example.com [ v3_req ] extendedKeyUsage = serverAuth, clientAuth $ openssl req -new -config foo.cnf -reqexts v3_req -key key.pem | openssl asn1parse 0:d=0 hl=4 l= 335 cons: SEQUENCE 4:d=1 hl=3 l= 247 cons: SEQUENCE 7:d=2 hl=2 l= 1 prim: INTEGER :00 10:d=2 hl=2 l= 101 cons: SEQUENCE 12:d=3 hl=2 l= 11 cons: SET 14:d=4 hl=2 l= 9 cons: SEQUENCE 16:d=5 hl=2 l= 3 prim: OBJECT :countryName 21:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 25:d=3 hl=2 l= 17 cons: SET 27:d=4 hl=2 l= 15 cons: SEQUENCE 29:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 34:d=5 hl=2 l= 8 prim: UTF8STRING :New York 44:d=3 hl=2 l= 17 cons: SET 46:d=4 hl=2 l= 15 cons: SEQUENCE 48:d=5 hl=2 l= 3 prim: OBJECT :localityName 53:d=5 hl=2 l= 8 prim: UTF8STRING :New York 63:d=3 hl=2 l= 21 cons: SET 65:d=4 hl=2 l= 19 cons: SEQUENCE 67:d=5 hl=2 l= 3 prim: OBJECT :organizationName 72:d=5 hl=2 l= 12 prim: UTF8STRING :Example Corp 86:d=3 hl=2 l= 25 cons: SET 88:d=4 hl=2 l= 23 cons: SEQUENCE 90:d=5 hl=2 l= 3 prim: OBJECT :commonName 95:d=5 hl=2 l= 16 prim: UTF8STRING :mail.example.com ... -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
