Error creating CSR in openSSL using SubjectAltName 'OtherName"

Question

I'm receiving an error when trying to create a CSR that is using v3_req extensions

The errors I receive are:

Error Loading request extension section v3_req
37232:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:./crypto/asn1/a_object.c:109:
37232:error:22075093:X509 V3 routines:v2i_GENERAL_NAME_ex:othername error:./crypto/x509v3/v3_alt.c:502:
37232:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:./crypto/x509v3/v3_conf.c:93:name=subjectAltName, value=otherName:Principal Name;UTF8:1999999999123456@test

my openSSL cnf section looks like:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = otherName:UTF8:Principal Name = 1999999999123456@test

What I'm trying to accomplish is to create a csr (everything else with my script and cnf works fine, just when adding in the SAN portion) that has a SAN of other name and "Principal Name" that would look like this when viewing the cert fields

Other Name: Principal Name = 1999999999123456@test

I assume i have the v3_req and otherName setup portion incorrect but I cannot find the right documentation on usage of custom fields for SAN/OtherName. if i use this with DNS or IP, it works like you would expect.

Answer 1

after reviewing the documenation that Steffen Ullrich mentioned and checking the formatting, the correct format for adding the alt name is:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:1999999999123456@TEST