openssl req error with DN having a / in it

Jakob Bohm jb-openssl at
Thu Aug 15 01:09:38 UTC 2019

On 15/08/2019 00:33, Jordan Brown wrote:
> On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
>> [...]
>>    commonName="/CN=IPv6::2001:24:28:24/64"
>> [...]
>> req: Hit end of string before finding the equals.
>> problems making Certificate Request 
> Some systems present distinguished names using slashes as separators.  
> I assume that that's what you're running into here, that your string 
> is being processed as a valid RDN "CN=IPv6::2001:db8:28:24" and an 
> invalid RDN "64".
> You'll need to quote the slash.  I don't happen to know how, but my 
> bet would be either \/ or %2F.
This is why my mail proposed CN=[2001:24:28:24::9] with no
slashes for an end cert with a specific IP and a human readable
name that would sort with related names in the CA's CN element.
Also note that the "IPv6:" notation might confuse OpenSSL or
OpenSSL derived string parsing code.

Certificates for Bluetooth MAC addresses would be a different
notation such as CN=DC-BA-98-76-54-32 for a 48-bit MAC address,
or (to reuse name restrictions on via IPv6 SANs), the equivalent

I don't understand what use case Moskowitz wants for a subnet
mask length such as /64 in an end cert.

P.S. 2001:db8::/32 is the official prefix for use in examples.


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list