12

I've created a self-signed SSL certificate and have no trouble using it, but the browser (Firefox, Chrome/IE) shows garbled characters in the Organization's name (anything above ASCII has 2 characters).

I created the certificate in a Debian running on virtualbox (Win host), the shell's locales are all *.UTF-8, and I used CA.pl for this. I can create files with Unicode characters and have no other issues, but the cert has "Organizaução" instead of "Organização".

Any tips? Escaping the characters (how)? Dumbing down the locale to ISO/IEC 8859-1? Using some non-shell method? Am i missing something obvious?

On a side note, is there an easy way (i.e. 4ummies™) to distribute the certificate, so a user can just click and install? All the guides i've seen involve too many windows for a regular user to bother with; and without installing it the browser will yelp every time the user visits (except Firefox which allows an easy installation via the warning box).

Edit 1

Checking the asn1parse manpage and using its example:

openssl asn1parse -genstr 'UTF8:Organização'

produces:

0:d=0  hl=2 l=  17 prim: UTF8STRING        :Organização

So i assume it's a problem with the input. This is my locale information:

LANG=pt_PT.utf8
LANGUAGE=en_US:en
All LC_* fields="pt_PT.utf8"
LC_ALL=

I have no problems touching Organização or any other files with nonASCII characters, yet my CA cert gets dumbed down to 8bits.

Edit 2

I've started with this tutorial, but went on to reading the OpenSSL man. In reading the req man i came across this in the bugs section: As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString

So i tried with:

openssl asn1parse -genstr 'BMP:Organização'

and end up with an empty string:

0:d=0  hl=2 l=  26 prim: BMPSTRING
vesperto
  • 804
  • 1
  • 6
  • 26
  • I checked a bunch of sites: the majority has their heads in the ASCII sands, but some do use non-ASCII characters, so it's not a protocol limitation or something. – vesperto May 11 '14 at 23:29
  • According to [RFC 5280](http://www.ietf.org/rfc/rfc5280.txt), `organizationName` allowed types are `teletexString`, `printableString`, `universalString`, `utf8String ` and `bmpString`. `openssl.cnf` uses `string_mask = utf8only` by default. Did you perform an ASN.1 dump on the cert to ensure its *not* UTF8 (see `openssl asn1parse -in ...` and [asn1parse(1)](https://www.openssl.org/docs/apps/asn1parse.html))? What are you using to display the cert and `organizationName`? – jww May 12 '14 at 01:51
  • 1
    This question appears to belong on another site in the Stack Exchange network because its not about programming. Perhaps [Super User](https://www.superuser.com/), [Information Security Stack Exchange](https://security.stackexchange.com/) or [Cryptography Stack Exchange](https://crypto.stackexchange.com/). – jww May 12 '14 at 01:58
  • Thanks for the tips, @jww, i've edited the question. I'm using the browser: viewing the certificate information when it complains it's not trusted. I've tried portuguese and english firefox+win7, as well as chrome. – vesperto May 12 '14 at 12:13

2 Answers2

10

Followed another tutorial and adapted the certificate creation to:

openssl req -new -x509 -days 365 -utf8 -out cert.pem -keyout key.pem

I opted to populate the default config file with the answers to the questions (instead of supplying them via the prompt) and added a commented non-ASCII character just to make sure it's a unicode file (kinda unnecessary i guess but file made me happy by saying UTF-8 Unicode text).

vesperto
  • 804
  • 1
  • 6
  • 26
  • this was not enough, it worked for me when i added `-nameopt multiline,utf8` in addition to `-utf8` as mentioned here: https://stackoverflow.com/questions/16478452/how-to-create-csr-with-utf8-subject-in-openssl#29649477 – taur Jan 25 '19 at 14:17
2

Decode the string into escaped-ASCII and specify on the command line. For the Univeristät Innsbruck, the umlaut-a must be translated into ASCII bytes. The Unicode tables show that it is U+00E4 which must be represented by the hex character sequence c3 a4. To get that on the command-line, I do:

server=test.uibk.ac.at
openssl req -nodes -newkey rsa:2048 -keyout $server.key -out $server.csr \
-subj '/C=AT/ST=Tyrol/L=Innsbruck/O=Universit\\xC3\\xA4t Innsbruck/OU=IT Services/CN='"$server"

Note, the double-backslashes and single quotes are both required. To test the effect:

openssl x509 -in test.uibk.ac.at.crt -noout -text |grep Subject:

we see

Subject: C=AT, ST=Tyrol, L=Innsbruck, O=Universit\xC3\xA4t Innsbruck, OU=IT Services, CN=test.uibk.ac.at

In the browser, we verify the key and see "Universität Innsbruck" as expected.

Otheus
  • 785
  • 10
  • 18