error: ASN1_mbstring_ncopy:illegal characters
raf
openssl at raf.org
Tue Apr 11 13:40:10 UTC 2023
Hi,
I'm trying to create a CSR for an SMIME certificate for
an email address with non-ASCII characters (localpart
and domain), and I'm getting this error after entering
äbç@être.org as the email address:
139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
The error message is similar if the only non-ASCII
characters are in the domain name, or if they are only
in the localpart (only the leading number in the error
message changes). It's just for testing purposes, and
I'm only really interested in the domain part.
I must be doing something wrong. How can I use
non-ASCII (UTF8-encoded Unicode characters,
LANG=en_AU.UTF-8)? It looks like it's expecting
multi-byte strings (a_mbstr.c).
My smime.cnf contains:
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection
And the openssl commands were:
OPENSSL_CONF=`pwd`/smime.cnf
# Generate an RSA Private Key for the Certificate Authority
openssl genrsa -aes256 -out ca.key 2048
# Create Self-Signed Certificate for the Certificate Authority
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Generate an RSA Private Key for the Personal E-Mail Certificate
openssl genrsa -aes256 -out smime_test_user.key 2048
# Create the Certificate Signing Request
openssl req -new -key smime_test_user.key -out smime_test_user.csr
The error happened during the command above.
> openssl req -new -key smime_test_user.key -out smime_test_user.csr
Enter pass phrase for smime_test_user.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:äbç@être.org
problems making Certificate Request
139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
So I didn't get to the final command:
# Sign the Certificate Using the Certificate Authority
openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile smime.cnf -extensions smime
cheers,
raf
More information about the openssl-users
mailing list