[openssl-users] Question about stateOrProvince

Tim Boring tjboring at gmail.com
Wed Aug 31 01:28:19 UTC 2016

When creating a CSR, openssl displays the following

State or Province Name (full name) [Some-State]:

But, I can't find anywhere in the OpenSSL codebase that validates that the
input is indeed a "full name"--e.g., that the input is "New York" instead
of "NY".

I've done this search in Github:

After looking through the code, I stumbed across the "ub_locality_name"
size limit:

And a couple lines up from that is a comment pointing to RFC 3280
<https://www.rfc-editor.org/rfc/rfc3280.txt>, which defines the following:


id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

X520StateOrProvinceName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-state-name)),
      printableString   PrintableString (SIZE (1..ub-state-name)),
      universalString   UniversalString (SIZE (1..ub-state-name)),
      utf8String        UTF8String      (SIZE (1..ub-state-name)),
      bmpString         BMPString       (SIZE(1..ub-state-name)) }

ub-state-name INTEGER ::= 128


I'm curious about this because the openssl command will create a CSR where
stateOrProvince has a two-character (U.S.) state name, and (at least one)
CA (Comodo) will happily issue a cert using such a CSR.

Is there any issue with a cert generated using such a CSR? Should the
openssl command validate stateOrProvince? If not, then maybe it's just a
matter of changing the prompt (I'm happy to submit a PR for such a minor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160831/e5cfd2b7/attachment.html>

More information about the openssl-users mailing list