Re: openssl req error with DN having a / in it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15/08/2019 00:33, Jordan Brown wrote:
On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
[...]
   commonName="/CN=IPv6::2001:24:28:24/64"
[...]
req: Hit end of string before finding the equals.
problems making Certificate Request

Some systems present distinguished names using slashes as separators.  I assume that that's what you're running into here, that your string is being processed as a valid RDN "CN=IPv6::2001:db8:28:24" and an invalid RDN "64".

You'll need to quote the slash.  I don't happen to know how, but my bet would be either \/ or %2F.

This is why my mail proposed CN=[2001:24:28:24::9] with no
slashes for an end cert with a specific IP and a human readable
name that would sort with related names in the CA's CN element.
Also note that the "IPv6:" notation might confuse OpenSSL or
OpenSSL derived string parsing code.

Certificates for Bluetooth MAC addresses would be a different
notation such as CN=DC-BA-98-76-54-32 for a 48-bit MAC address,
or (to reuse name restrictions on via IPv6 SANs), the equivalent
[fe80::dcba:98ff:fe76:5432].

I don't understand what use case Moskowitz wants for a subnet
mask length such as /64 in an end cert.

P.S. 2001:db8::/32 is the official prefix for use in examples.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux