[DBWG] Nonconformant X.509 issuer+subject names in almost all Afrinic RPKI CA/EE certs?
Yogesh Chadee
yogesh at afrinic.net
Wed Feb 28 07:21:12 UTC 2024
Dear Job,
Thank you for pointing this out and even finding the solutions on all
fronts. We are looking into this information and will get back to you
and the group soon.
Regards,
Yogesh
On 27/02/2024 23:41, Job Snijders wrote:
> Dear Afrinic,
>
> On Tue, Feb 27, 2024 at 07:50:39PM +0100, Job Snijders wrote:
>> Perhaps adding "string_mask = nombstr" to the "[req]" section of the
>> openssl.cnf file pointed to by the '-config' CLI option is sufficient
>> to - going forward - only emit PrintableString instead of UTF8String.
>>
>> https://www.openssl.org/docs/man3.0/man1/openssl-req.html#string_mask
> Perhaps I found the root cause! It turns out the above documentation
> contains errors. The 'default' value is not the default option, utf8only
> is the actual default value :-)
>
> I submitted a fix to the OpenSSL project to clarify what the software
> really does: https://github.com/openssl/openssl/pull/23699
>
> In any case, using 'nombstr' should trigger the desired behavior of
> emitting PrintableString in accordance with the RPKI specifications.
>
> Kind regards,
>
> Job
More information about the DBWG
mailing list