When creating a CSR, openssl displays the following <quote> State or Province Name (full name) [Some-State]: </quote> But, I can't find anywhere in the OpenSSL codebase that validates that the input is indeed a "full name"--e.g., that the input is "New York" instead of "NY". I've done this search in Github: https://github.com/openssl/openssl/search?utf8=%E2%9C%93&q=state%2Fprovince&type=Code After looking through the code, I stumbed across the "ub_locality_name" size limit: https://goo.gl/zAUe9w And a couple lines up from that is a comment pointing to RFC 3280 <https://www.rfc-editor.org/rfc/rfc3280.txt>, which defines the following: <quote> id-at-stateOrProvinceName AttributeType ::= { id-at 8 } X520StateOrProvinceName ::= CHOICE { teletexString TeletexString (SIZE (1..ub-state-name)), printableString PrintableString (SIZE (1..ub-state-name)), universalString UniversalString (SIZE (1..ub-state-name)), utf8String UTF8String (SIZE (1..ub-state-name)), bmpString BMPString (SIZE(1..ub-state-name)) } ub-state-name INTEGER ::= 128 </quote> I'm curious about this because the openssl command will create a CSR where stateOrProvince has a two-character (U.S.) state name, and (at least one) CA (Comodo) will happily issue a cert using such a CSR. Is there any issue with a cert generated using such a CSR? Should the openssl command validate stateOrProvince? If not, then maybe it's just a matter of changing the prompt (I'm happy to submit a PR for such a minor change). Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160831/e5cfd2b7/attachment.html>
