openssl req error with DN having a / in it

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl req error with DN having a / in it

Robert Moskowitz
Developing saga on creating an intermediate CA cert with only CN and
said CN should be:

CN=IPv6::2001:24:28:24/64

Note that / in CN that seems to be a challenge.

    commonName="/CN=IPv6::2001:24:28:24/64"
    DN=$commonName
    echo $DN

    openssl req -config $cadir/openssl-root.cnf\
        -key $dir/private/intermediate.key.pem \
        -keyform pem -outform $format -subj "$DN" -new\
        -out $dir/csr/intermediate.csr.pem

req: Hit end of string before finding the equals.
problems making Certificate Request

Then I tried:

    commonName="/CN=IPv6::2001:24:28:24//64"
    DN=$commonName
    echo $DN

guessing that / was acting as an escape designator, tried the command
again and got the same

req: Hit end of string before finding the equals.
problems making Certificate Request

So how do I get that / into the CN?

thanks


Reply | Threaded
Open this post in threaded view
|

Re: openssl req error with DN having a / in it

JordanBrown
On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
[...]
   commonName="/CN=IPv6::2001:24:28:24/64"
[...]
req: Hit end of string before finding the equals.
problems making Certificate Request

Some systems present distinguished names using slashes as separators.  I assume that that's what you're running into here, that your string is being processed as a valid RDN "CN=IPv6::2001:24:28:24" and an invalid RDN "64".

You'll need to quote the slash.  I don't happen to know how, but my bet would be either \/ or %2F.

Reply | Threaded
Open this post in threaded view
|

Re: openssl req error with DN having a / in it

OpenSSL - User mailing list
On 15/08/2019 00:33, Jordan Brown wrote:

> On 8/14/2019 2:11 PM, Robert Moskowitz wrote:
>> [...]
>>    commonName="/CN=IPv6::2001:24:28:24/64"
>> [...]
>> req: Hit end of string before finding the equals.
>> problems making Certificate Request
>
> Some systems present distinguished names using slashes as separators. 
> I assume that that's what you're running into here, that your string
> is being processed as a valid RDN "CN=IPv6::2001:db8:28:24" and an
> invalid RDN "64".
>
> You'll need to quote the slash.  I don't happen to know how, but my
> bet would be either \/ or %2F.
>
This is why my mail proposed CN=[2001:24:28:24::9] with no
slashes for an end cert with a specific IP and a human readable
name that would sort with related names in the CA's CN element.
Also note that the "IPv6:" notation might confuse OpenSSL or
OpenSSL derived string parsing code.

Certificates for Bluetooth MAC addresses would be a different
notation such as CN=DC-BA-98-76-54-32 for a 48-bit MAC address,
or (to reuse name restrictions on via IPv6 SANs), the equivalent
[fe80::dcba:98ff:fe76:5432].

I don't understand what use case Moskowitz wants for a subnet
mask length such as /64 in an end cert.

P.S. 2001:db8::/32 is the official prefix for use in examples.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded