I am trying to build a certificate request with a custom OID and it is encoding strange characters in the certificate.
For example I specify the following line in the .cnf file:
bla_policy = ASN1:PRINTABLESTRING:blabla
Then I get the following when I dump the csr:
1.2.3.4.5.6.7:
..blabla
The ?..? seems to be somewhat random and does not seem to encode a length or anything else. Any ideas on how I can get rid of those two random characters or why I am getting them?
More detail:
OpenSSL version:
1.0.1e on Windows and 1.0.1e.42.el7.9 on Centos 7.
Given the following script:
#!/bin/bash
KEYNAME=test.key
CSRNAME=test.csr
SUBJECT="/C=US/ST=Georgia/L=Atlanta/O=Bla/CN=test/emailAddress=certs at bla.com <mailto:C=US/ST=Georgia/L=Atlanta/O=Bla/CN=test/emailAddress=certs at bla.com>"
DAYS=365
echo Cleaning up
rm $KEYNAME $CSRNAME
echo Generating key $KEYNAME
openssl genrsa -out $KEYNAME 2048
echo Generating req $CSRNAME
openssl req -new -key $KEYNAME -out $CSRNAME -nodes -subj "$SUBJECT" -verbose -config req.cnf
if [ -f $CSRNAME ]; then
openssl req -in $CSRNAME -text -noout | less
fi
And the following req.cnf:
oid_section = new_oids
[ new_oids ]
bla_policy = 1.2.3.4.5.6.7
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature, nonRepudiation, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage=clientAuth, emailProtection
bla_policy = ASN1:PRINTABLESTRING:blabla
Get the following output:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Georgia, L=Atlanta, O=Bla, CN=test/emailAddress=certs at bla.com <mailto:CN=test/emailAddress=certs at bla.com>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
? (Deleted for clarity)
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
1.2.3.4.5.6.7:
..blabla
Signature Algorithm: sha256WithRSAEncryption
? (Deleted for clarity)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150811/3bf07b55/attachment-0001.html>
