error: ASN1_mbstring_ncopy:illegal characters

raf openssl at
Tue Apr 11 13:40:10 UTC 2023


I'm trying to create a CSR for an SMIME certificate for
an email address with non-ASCII characters (localpart
and domain), and I'm getting this error after entering
äbç@ê as the email address:

  139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:

The error message is similar if the only non-ASCII
characters are in the domain name, or if they are only
in the localpart (only the leading number in the error
message changes). It's just for testing purposes, and
I'm only really interested in the domain part.

I must be doing something wrong. How can I use
non-ASCII (UTF8-encoded Unicode characters,
LANG=en_AU.UTF-8)? It looks like it's expecting
multi-byte strings (a_mbstr.c).

My smime.cnf contains:
	distinguished_name = req_distinguished_name

	countryName = Country Name (2 letter code)
	countryName_default = AU
	countryName_min = 2
	countryName_max = 2
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Some-State
	localityName = Locality Name (eg, city)
	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = Internet Widgits Pty Ltd
	organizationalUnitName = Organizational Unit Name (eg, section)
	commonName = Common Name (e.g. server FQDN or YOUR name)
	commonName_max = 64
	emailAddress = Email Address
	emailAddress_max = 64

	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	subjectAltName = email:copy
	extendedKeyUsage = emailProtection

And the openssl commands were:

	# Generate an RSA Private Key for the Certificate Authority
    openssl genrsa -aes256 -out ca.key 2048
	# Create Self-Signed Certificate for the Certificate Authority
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
	# Generate an RSA Private Key for the Personal E-Mail Certificate
    openssl genrsa -aes256 -out smime_test_user.key 2048
	# Create the Certificate Signing Request
    openssl req -new -key smime_test_user.key -out smime_test_user.csr

The error happened during the command above.

    > openssl req -new -key smime_test_user.key -out smime_test_user.csr

    Enter pass phrase for smime_test_user.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:äbç@ê
    problems making Certificate Request
    139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:

So I didn't get to the final command:

    # Sign the Certificate Using the Certificate Authority
	openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile smime.cnf -extensions smime


More information about the openssl-users mailing list