error: ASN1_mbstring_ncopy:illegal characters

Viktor Dukhovni openssl-users at
Thu Apr 13 02:41:39 UTC 2023

On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote:

> > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than
> > an rfc822Name.  With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox"
> > instead of the numeric OID:
> > 
> >     [extensions]
> >     subjectAltName = @sans
> > 
> >     [sans]
> >     otherName.1 =;FORMAT:UTF8,UTF8String:потребитель@домен.example
> > 
> > Full support for this in certificate verification requires OpenSSL 3.0.
> Thanks. Sadly, I don't understand the config file format enough to
> know how to incorporate this into my existing config file (copied from
> a howto for S/MIME).  which includes "subjectAltName = email:copy". If
> I just add the above, I get a new error when decrypting the private
> key.

That's for signing CSRs with a CA, I typically bypass that, and create
the cert more directly.  I don't know how or whether there's support for
copying specific "otherName" extensions by OID.

> In the meantime, I might just wait until a user reports that my script
> isn't working for S/MIME with non-ASCII email addresses (if that ever
> happens). If they can show me the output of the openssl x509 ...
> -noout -text command for their certificate, that should be enough for
> me to fix my script.

You reall SHOULD NOT parse the output of "openssl ... -text" it is not a
stable machine-readable format.  Python has APIs for parsing X.509
objects, I was suggesting you use those.

If you really must go out on a limb, OpenSSL 3.0 would output:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            X509v3 Basic Constraints:
            X509v3 Subject Alternative Name:
                othername: SmtpUTF8Mailbox::виктор


More information about the openssl-users mailing list