error: ASN1_mbstring_ncopy:illegal characters
openssl-users at dukhovni.org
Thu Apr 13 02:41:39 UTC 2023
On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote:
> > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than
> > an rfc822Name. With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox"
> > instead of the numeric OID:
> > [extensions]
> > subjectAltName = @sans
> > [sans]
> > otherName.1 = 220.127.116.11.18.104.22.168.9;FORMAT:UTF8,UTF8String:потребитель@домен.example
> > Full support for this in certificate verification requires OpenSSL 3.0.
> Thanks. Sadly, I don't understand the config file format enough to
> know how to incorporate this into my existing config file (copied from
> a howto for S/MIME). which includes "subjectAltName = email:copy". If
> I just add the above, I get a new error when decrypting the private
That's for signing CSRs with a CA, I typically bypass that, and create
the cert more directly. I don't know how or whether there's support for
copying specific "otherName" extensions by OID.
> In the meantime, I might just wait until a user reports that my script
> isn't working for S/MIME with non-ASCII email addresses (if that ever
> happens). If they can show me the output of the openssl x509 ...
> -noout -text command for their certificate, that should be enough for
> me to fix my script.
You reall SHOULD NOT parse the output of "openssl ... -text" it is not a
stable machine-readable format. Python has APIs for parsing X.509
objects, I was suggesting you use those.
If you really must go out on a limb, OpenSSL 3.0 would output:
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
X509v3 Basic Constraints:
X509v3 Subject Alternative Name:
More information about the openssl-users