[DBWG] Nonconformant X.509 issuer+subject names in almost all Afrinic RPKI CA/EE certs?
Job Snijders
job at fastly.com
Tue Feb 27 19:41:15 UTC 2024
Dear Afrinic,
On Tue, Feb 27, 2024 at 07:50:39PM +0100, Job Snijders wrote:
> Perhaps adding "string_mask = nombstr" to the "[req]" section of the
> openssl.cnf file pointed to by the '-config' CLI option is sufficient
> to - going forward - only emit PrintableString instead of UTF8String.
>
> https://www.openssl.org/docs/man3.0/man1/openssl-req.html#string_mask
Perhaps I found the root cause! It turns out the above documentation
contains errors. The 'default' value is not the default option, utf8only
is the actual default value :-)
I submitted a fix to the OpenSSL project to clarify what the software
really does: https://github.com/openssl/openssl/pull/23699
In any case, using 'nombstr' should trigger the desired behavior of
emitting PrintableString in accordance with the RPKI specifications.
Kind regards,
Job
More information about the DBWG
mailing list