error: ASN1_mbstring_ncopy:illegal characters

Mark Hack markhack at markhack.com
Tue Apr 11 14:43:20 UTC 2023 

Try adding the -utf8 option to the request.



https://www.openssl.org/docs/man3.1/man1/openssl-req.html

-utf8

    This option causes field values to be interpreted as UTF8 strings,
by default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.


Regards
Mark Hack



On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote:
> Hi,
> 
> I'm trying to create a CSR for an SMIME certificate for
> an email address with non-ASCII characters (localpart
> and domain), and I'm getting this error after entering
> äbç@être.org as the email address:
> 
>   139749651649856:error:0D07A07C:asn1 encoding
> routines:ASN1_mbstring_ncopy:illegal
> characters:../crypto/asn1/a_mbstr.c:115:
> 
> The error message is similar if the only non-ASCII
> characters are in the domain name, or if they are only
> in the localpart (only the leading number in the error
> message changes). It's just for testing purposes, and
> I'm only really interested in the domain part.
> 
> I must be doing something wrong. How can I use
> non-ASCII (UTF8-encoded Unicode characters,
> LANG=en_AU.UTF-8)? It looks like it's expecting
> multi-byte strings (a_mbstr.c).
> 
> My smime.cnf contains:
> 	[req]
> 	distinguished_name = req_distinguished_name
> 
> 	[req_distinguished_name]
> 	countryName = Country Name (2 letter code)
> 	countryName_default = AU
> 	countryName_min = 2
> 	countryName_max = 2
> 	stateOrProvinceName = State or Province Name (full name)
> 	stateOrProvinceName_default = Some-State
> 	localityName = Locality Name (eg, city)
> 	0.organizationName = Organization Name (eg, company)
> 	0.organizationName_default = Internet Widgits Pty Ltd
> 	organizationalUnitName = Organizational Unit Name (eg, section)
> 	commonName = Common Name (e.g. server FQDN or YOUR name)
> 	commonName_max = 64
> 	emailAddress = Email Address
> 	emailAddress_max = 64
> 
> 	[smime]
> 	basicConstraints = CA:FALSE
> 	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> 	subjectKeyIdentifier = hash
> 	authorityKeyIdentifier = keyid:always,issuer
> 	subjectAltName = email:copy
> 	extendedKeyUsage = emailProtection
> 
> And the openssl commands were:
> 
>     OPENSSL_CONF=`pwd`/smime.cnf
> 	# Generate an RSA Private Key for the Certificate Authority
>     openssl genrsa -aes256 -out ca.key 2048
> 	# Create Self-Signed Certificate for the Certificate Authority
>     openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> 	# Generate an RSA Private Key for the Personal E-Mail
> Certificate
>     openssl genrsa -aes256 -out smime_test_user.key 2048
> 	# Create the Certificate Signing Request
>     openssl req -new -key smime_test_user.key -out
> smime_test_user.csr
> 
> The error happened during the command above.
> 
>     > openssl req -new -key smime_test_user.key -out
> smime_test_user.csr
> 
>     Enter pass phrase for smime_test_user.key:
>     You are about to be asked to enter information that will be
> incorporated
>     into your certificate request.
>     What you are about to enter is what is called a Distinguished
> Name or a DN.
>     There are quite a few fields but you can leave some blank
>     For some fields there will be a default value,
>     If you enter '.', the field will be left blank.
>     -----
>     Country Name (2 letter code) [AU]:
>     State or Province Name (full name) [Some-State]:
>     Locality Name (eg, city) []:
>     Organization Name (eg, company) [Internet Widgits Pty Ltd]:
>     Organizational Unit Name (eg, section) []:
>     Common Name (e.g. server FQDN or YOUR name) []:
>     Email Address []:äbç@être.org
>     problems making Certificate Request
>     139749651649856:error:0D07A07C:asn1 encoding
> routines:ASN1_mbstring_ncopy:illegal
> characters:../crypto/asn1/a_mbstr.c:115:
> 
> So I didn't get to the final command:
> 
>     # Sign the Certificate Using the Certificate Authority
> 	openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt
> -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust
> emailProtection -addreject clientAuth -addreject serverAuth -trustout
> -extfile smime.cnf -extensions smime
> 
> cheers,
> raf
>

More information about the openssl-users mailing list