OU changed during request-processing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OU changed during request-processing

Tom Horstmann
Dear members,

out customer sent a pkcs#7 certification request to his CA containing the DN

[ req_distinguished_name ]
C=DE
O=ITSG TrustCenter fuer Arbeitgeber
0.OU=Braukmann Personalmanagement GmbH 
1.OU=BN13538740
CN=Andrea Degler-Scheel

After processing the request the CA told him the DN was

C=DE
O=ITSG TrustCenter fuer Arbeitgeber
OU={T.61/Latin-1}Braukmann Personalmanagement GmbH
OU=BN13538740
CN=Andrea Degler-Scheel

See the difference in OU.1?   {T.61/Latin-1}
Can someone explain me what this string is for? I know it deals with
character sets.

The CA rejects the request as it contains unpermitted chars ({}).
Our customer did sent 3 requests now of which none was processed without the
problem occuring. So i have to prove now that the string was not in the file
when it was sent to the CA and was included later when processed by
the CA.

I created a self-signed certificate on the request which does not
contain the string. I also checked the decoded request-file the customer
did sent. The string is not in there.

I sent the decoded request to the CA. The reply was, it couldn't be their
problem as they correctly process more than 10000 requests a month. I should
ask my software vendor. I do so now:)
Does someone know a simple reason why that string is put in the DN while
proessing a certification-request?

Just to let google know about that CA: ITSG Trustcenter.

thx in advance,

Tom Horstmann

--
PROSOFT EDV-Loesungen GmbH & Co. KG              http://www.proSoft.org
St.-Kassians-Platz 6, D-93047 Regensburg      [hidden email]
Geschaeftsfuehrer: Axel-Wilhelm Wegmann      phone: +49 941 / 78 88 7-0
AG Regensburg HRA 6608 USt.183/68311     cellphone: +49 171 / 40 54 777
--

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OU changed during request-processing

Dr. Stephen Henson
On Wed, Mar 15, 2006, Tom Horstmann wrote:

> Dear members,
>
> out customer sent a pkcs#7 certification request to his CA containing the DN
>
> [ req_distinguished_name ]
> C=DE
> O=ITSG TrustCenter fuer Arbeitgeber
> 0.OU=Braukmann Personalmanagement GmbH 
> 1.OU=BN13538740
> CN=Andrea Degler-Scheel
>
> After processing the request the CA told him the DN was
>
> C=DE
> O=ITSG TrustCenter fuer Arbeitgeber
> OU={T.61/Latin-1}Braukmann Personalmanagement GmbH
> OU=BN13538740
> CN=Andrea Degler-Scheel
>
> See the difference in OU.1?   {T.61/Latin-1}
> Can someone explain me what this string is for? I know it deals with
> character sets.
>
> The CA rejects the request as it contains unpermitted chars ({}).
> Our customer did sent 3 requests now of which none was processed without the
> problem occuring. So i have to prove now that the string was not in the file
> when it was sent to the CA and was included later when processed by
> the CA.
>
> I created a self-signed certificate on the request which does not
> contain the string. I also checked the decoded request-file the customer
> did sent. The string is not in there.
>
> I sent the decoded request to the CA. The reply was, it couldn't be their
> problem as they correctly process more than 10000 requests a month. I should
> ask my software vendor. I do so now:)
> Does someone know a simple reason why that string is put in the DN while
> proessing a certification-request?
>
> Just to let google know about that CA: ITSG Trustcenter.
>

It would help if you posted the certificate request or at least tried this:

openssl req -in req.pem -noout -subject -nameopt multiline,show_type

if it shows a T61 in there then the CA may not like T61Strings. OpenSSL will
use a T61 if it is configured to and if the characters used require it. If
there is an "international" character in there (MSB set in ISO8859-1 character
set) then that is the cause.

The use of T61s is now discouraged and newer software uses UTF8Strings instead
which the latest OpenSSL config files use. If you change the line in
openssl.cnf which begins "string_mask" to:

string_mask = utf8only

it will use UTF8Strings for everything. Then generate a new request and see
what the result is.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OU changed during request-processing

Tom Horstmann
Dear Steve,

> It would help if you posted the certificate request or at
> least tried this:
>
> openssl req -in req.pem -noout -subject -nameopt multiline,show_type

ah, clear now. Thank you. Output as follows:

    countryName               = PRINTABLESTRING:DE
    organizationName          = PRINTABLESTRING:ITSG TrustCenter fuer
Arbeitgeber
    organizationalUnitName    = T61STRING:Braukmann Personalmanagement
GmbH\A0
    organizationalUnitName    = PRINTABLESTRING:BN13538740
    commonName                = PRINTABLESTRING:Andrea Degler-Scheel

Regards,

Tom Horstmann

--
PROSOFT EDV-Loesungen GmbH & Co. KG              http://www.proSoft.org
St.-Kassians-Platz 6, D-93047 Regensburg      [hidden email]
Geschaeftsfuehrer: Axel-Wilhelm Wegmann      phone: +49 941 / 78 88 7-0
AG Regensburg HRA 6608 USt.183/68311     cellphone: +49 171 / 40 54 777
--


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OU changed during request-processing

Goetz Babin-Ebell
Tom Horstmann schrieb:

>> It would help if you posted the certificate request or at
>> least tried this:
>>
>> openssl req -in req.pem -noout -subject -nameopt multiline,show_type
>
> ah, clear now. Thank you. Output as follows:
>
>     countryName               = PRINTABLESTRING:DE
>     organizationName          = PRINTABLESTRING:ITSG TrustCenter fuer
> Arbeitgeber
>     organizationalUnitName    = T61STRING:Braukmann Personalmanagement
> GmbH\A0
      ^^^
This looks strange.
In ISO-8859-1 it is an non breakable space.

Can you remove it from the request ?

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: OU changed during request-processing

Tom Horstmann
Dear Goetz,

> >> It would help if you posted the certificate request or at
> least tried
> >> this:
> >>
> >> openssl req -in req.pem -noout -subject -nameopt
> multiline,show_type
> >
> > ah, clear now. Thank you. Output as follows:
> >
> >     countryName               = PRINTABLESTRING:DE
> >     organizationName          = PRINTABLESTRING:ITSG
> TrustCenter fuer
> > Arbeitgeber
> >     organizationalUnitName    = T61STRING:Braukmann
> Personalmanagement
> > GmbH\A0
>       ^^^
> This looks strange.
> In ISO-8859-1 it is an non breakable space.
>
> Can you remove it from the request ?

didn't try. Our customer will. But it seems clear that was the problem.
0xA0 isn't removed by our trim (). No idea how it got there.

Thank you for helping.

Regards,

Tom Horstman

--
PROSOFT EDV-Loesungen GmbH & Co. KG              http://www.proSoft.org
St.-Kassians-Platz 6, D-93047 Regensburg      [hidden email]
Geschaeftsfuehrer: Axel-Wilhelm Wegmann      phone: +49 941 / 78 88 7-0
AG Regensburg HRA 6608 USt.183/68311     cellphone: +49 171 / 40 54 777
--

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]