16

I am trying to generate Certificate Signing Request with UTF-8 subject. 

$ openssl req  -utf8 -nodes -newkey rsa:2048 -keyout my.private_key.pem -out my.csr.pem -text
Generating a 2048 bit RSA private key
......................................................................................................................................................................+++
......+++
writing new private key to 'my.private_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [PL]:
State or Province Name (full name) []:Zażółć gęślą jaźń
problems making Certificate Request
12376:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:a_mbstr.c:162:

Terminal encoding is UTF-8, I get the same problem when I use command line subject (...) -subj /C=PL/ST=zażółć\ gęślą\ jaźń/O=my-company/CN=ThisIsMeForSure

When I skip the -utf8 switch, the CSR is generated with all the non-ascii characters replaced with hex notation (eg ó becomes \xC3\xB3). Such CSR cannot be read properly with php (openss_x509_parse) - the original ó is read as four bytes, representing two weird characters...

What am I doing wrong?

SWilk
  • 3,261
  • 8
  • 30
  • 51
  • 1
    Using `openssl req` *without* a custom conf file means the server name will be in the `CN`. That practice is deprecated by both the IETF and the CA/B Forums. Instead, you should ensure the server names (and IP addresses) are in the `SAN`. See, for example, [How to create a self-signed certificate with openssl?](http://stackoverflow.com/a/27931596) (the answer is used for both signing requests and self signed certificates). And `string_mask = utf8only` is set in the conf file. – jww Apr 15 '15 at 12:07

3 Answers3

31

I've been successful with command

openssl req -new -utf8 -nameopt multiline,utf8 -config example.com.cnf -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Where example.com.cnf is a configuration file in UTF-8:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext

[dn]
CN = Описание сайта                # Site description
emailAddress = envek@envek.name
O = Моя компания                   # My company
OU = Моё подразделение             # My dept
L = Москва                         # Moscow
C = RU

[ext]
subjectAltName = DNS:example.com,DNS:*.example.com

Displayed correctly in Chrome, Firefox, and Safari.

Envek
  • 4,426
  • 3
  • 34
  • 42
  • 6
    In fact, the -nameopt multiline,utf8 option is useless in this context. Only the -utf8 is making a difference. The user can still avoid setting this option on the command line with a proper configuration file. Just add utf8 = yes to the [req] section. This should be the prefer way to go since forgetting the -utf8 option on the command line may lead to undesired results. When displaying the certificate, you need to use the -nameopt utf8 option, the -nameopt multiline,utf8 option makes the utf8 value to be ignored for me. OpenSSL version 1.0.2h. – Achille May 29 '16 at 19:17
  • 4
    I confirmed `-utf8` option alone is enough. `openssl req -new -newkey rsa:2048 -sha256 -nodes -utf8 -subj "/C=JP/ST=大阪府/L=大阪市/O=架空の会社名の例/OU=あ/CN=www.example.jp" -out ./clients/$client_domain/$client_domain.csr.pem -keyout ./clients/$client_domain/$client_domain.key.pem` `$ dpkg-query -W -f='${Version}\n' openssl` 1.0.2g-1ubuntu4.5 Thanks, Achille! – hnakamur Oct 24 '16 at 08:03
  • you did not give email in non-English. Do you have any specific reason for that @Envek ? – Sumit Singh Apr 19 '17 at 04:36
  • Well, I've never seen non-latin email addresses. If you need to specify mailbox in internationalized domain, than you need to specify domain in Punycode (after @). But I don't know about username part (before @) – Envek Apr 19 '17 at 17:05
2

Try using the string_mask option:

string_mask

This option masks out the use of certain string types in certain fields. Most users will not need to change this option.

It can be set to several values default which is also the default option uses PrintableStrings, T61Strings and BMPStrings if the pkix value is used then only PrintableStrings and BMPStrings will be used. This follows the PKIX recommendation in RFC2459. If the utf8only option is used then only UTF8Strings will be used: this is the PKIX recommendation in RFC2459 after 2003. Finally the nombstr option just uses PrintableStrings and T61Strings: certain software has problems with BMPStrings and UTF8Strings: in particular Netscape.

Community
  • 1
  • 1
elecengin
  • 143
  • 1
  • 8
  • 2
    Apparently this (string_mask) is not sufficient. (This gives in fact UTF-8 codes to characters, but does not treat them that way during displaying in many tools). `-utf8` or `utf8 = yes` is the way to go. (Checked empirically). – Cromax Aug 08 '17 at 11:23
  • @Cromax you're right. Can you make an answer from the comment? – Vlastimil Ovčáčík Nov 15 '17 at 16:14
  • @Vlastimil The highest rated answer already includes `-utf8` switch, so I'm not really sure if there is a need for that. It just adds extra clarification, but nothing really important. Thank you, thou. – Cromax Nov 17 '17 at 09:09
1

Any unicode work for me, from php file.

<? shell_exec('openssl req -new -md5 -utf8 -key C:/Temp/1.key -out C:/Temp/1.csr -subj "/C=MD/ST=ff/O=Religie/OU=Cen/CN=中国/emailAddress=test@religiasatanista.ro" -config C:/Temp/openssl.cnf'); ?>
Vlastimil Ovčáčík
  • 2,799
  • 27
  • 29
Vitalicus
  • 1,188
  • 13
  • 15