Try adding the -utf8 option to the request. https://www.openssl.org/docs/man3.1/man1/openssl-req.html -utf8 This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. Regards Mark Hack On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote: > Hi, > > I'm trying to create a CSR for an SMIME certificate for > an email address with non-ASCII characters (localpart > and domain), and I'm getting this error after entering > äbç@être.org as the email address: > > 139749651649856:error:0D07A07C:asn1 encoding > routines:ASN1_mbstring_ncopy:illegal > characters:../crypto/asn1/a_mbstr.c:115: > > The error message is similar if the only non-ASCII > characters are in the domain name, or if they are only > in the localpart (only the leading number in the error > message changes). It's just for testing purposes, and > I'm only really interested in the domain part. > > I must be doing something wrong. How can I use > non-ASCII (UTF8-encoded Unicode characters, > LANG=en_AU.UTF-8)? It looks like it's expecting > multi-byte strings (a_mbstr.c). > > My smime.cnf contains: > [req] > distinguished_name = req_distinguished_name > > [req_distinguished_name] > countryName = Country Name (2 letter code) > countryName_default = AU > countryName_min = 2 > countryName_max = 2 > stateOrProvinceName = State or Province Name (full name) > stateOrProvinceName_default = Some-State > localityName = Locality Name (eg, city) > 0.organizationName = Organization Name (eg, company) > 0.organizationName_default = Internet Widgits Pty Ltd > organizationalUnitName = Organizational Unit Name (eg, section) > commonName = Common Name (e.g. server FQDN or YOUR name) > commonName_max = 64 > emailAddress = Email Address > emailAddress_max = 64 > > [smime] > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer > subjectAltName = email:copy > extendedKeyUsage = emailProtection > > And the openssl commands were: > > OPENSSL_CONF=`pwd`/smime.cnf > # Generate an RSA Private Key for the Certificate Authority > openssl genrsa -aes256 -out ca.key 2048 > # Create Self-Signed Certificate for the Certificate Authority > openssl req -new -x509 -days 365 -key ca.key -out ca.crt > # Generate an RSA Private Key for the Personal E-Mail > Certificate > openssl genrsa -aes256 -out smime_test_user.key 2048 > # Create the Certificate Signing Request > openssl req -new -key smime_test_user.key -out > smime_test_user.csr > > The error happened during the command above. > > > openssl req -new -key smime_test_user.key -out > smime_test_user.csr > > Enter pass phrase for smime_test_user.key: > You are about to be asked to enter information that will be > incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished > Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]: > State or Province Name (full name) [Some-State]: > Locality Name (eg, city) []: > Organization Name (eg, company) [Internet Widgits Pty Ltd]: > Organizational Unit Name (eg, section) []: > Common Name (e.g. server FQDN or YOUR name) []: > Email Address []:äbç@être.org > problems making Certificate Request > 139749651649856:error:0D07A07C:asn1 encoding > routines:ASN1_mbstring_ncopy:illegal > characters:../crypto/asn1/a_mbstr.c:115: > > So I didn't get to the final command: > > # Sign the Certificate Using the Certificate Authority > openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt > -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust > emailProtection -addreject clientAuth -addreject serverAuth -trustout > -extfile smime.cnf -extensions smime > > cheers, > raf >
