RFC 3280 UTF8String representation problems

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

RFC 3280 UTF8String representation problems


Hi everyone,


I have problems implementing RFC 3280 at “  Issuer” and “  Subject” concerning DirectoryString implementation that must use “UTF8String” representation.


In my case the certificate request is prepared inside MS IE using VBScript XEnroll function “createPKCS10( ByVal DNName As String,  ByVal Usage As String ) As String” which is quite common way of doing it.


If the “DNName” parameter includes only “printableString” characters then the PKCS10 request is specified by “printableString” representation. If there are other symbols then “bmpString” representation is used. This is what Microsoft do and I have no way to change it.


If I send this PKCS10 request to “openssl ca ...“ command to issue a certificate then the resulted fields are either “printableString” or  “bmpString” as specified in the original PKCS10 request. How could I change them to “UTF8String” ?


I found 2 ways:

1. Extract the subject from MS XEnroll PKCS10 request, convert it to “UTF8String” and change the subject in the original PKCS10 request using “-utf8 -nameopt utf8” command line parameters:

openssl req –in old_pkcs10.p10 –out new_pkcs10.p10 -utf8 -nameopt utf8 –subj ${new_utf8_subj}


The problem here is that when I want to sign this changed into “UTF8String” request the “openssl ca” complains that the PKCS10 signature is not valid any more and refuses to issue the certificate. There is no “-noverift” option there ;(


2. When signing the MS XEnroll PKCS10 request using “openssl ca” I could use the “-subj “ parameter to specify the new “UTF8String” converted subject.


The problem here is that there is no “-utf8 -nameopt utf8” parameters in “openssl ca” command.  


My question is: How to change the DN (Subject) into “UTF8String” and sign the certificate request?


Best regards,