openssl req error with DN having a / in it
Jakob Bohm
jb-openssl at wisemo.com
Thu Aug 15 01:09:38 UTC 2019
On 15/08/2019 00:33, Jordan Brown wrote:
> On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
>> [...]
>> commonName="/CN=IPv6::2001:24:28:24/64"
>> [...]
>> req: Hit end of string before finding the equals.
>> problems making Certificate Request
>
> Some systems present distinguished names using slashes as separators.
> I assume that that's what you're running into here, that your string
> is being processed as a valid RDN "CN=IPv6::2001:db8:28:24" and an
> invalid RDN "64".
>
> You'll need to quote the slash. I don't happen to know how, but my
> bet would be either \/ or %2F.
>
This is why my mail proposed CN=[2001:24:28:24::9] with no
slashes for an end cert with a specific IP and a human readable
name that would sort with related names in the CA's CN element.
Also note that the "IPv6:" notation might confuse OpenSSL or
OpenSSL derived string parsing code.
Certificates for Bluetooth MAC addresses would be a different
notation such as CN=DC-BA-98-76-54-32 for a 48-bit MAC address,
or (to reuse name restrictions on via IPv6 SANs), the equivalent
[fe80::dcba:98ff:fe76:5432].
I don't understand what use case Moskowitz wants for a subnet
mask length such as /64 in an end cert.
P.S. 2001:db8::/32 is the official prefix for use in examples.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list