Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create SSL certificate with Unicode characters in the Organization name (or other fields)?

I've created a self-signed SSL certificate and have no trouble using it, but the browser (Firefox, Chrome/IE) shows garbled characters in the Organization's name (anything above ASCII has 2 characters).

I created the certificate in a Debian running on virtualbox (Win host), the shell's locales are all *.UTF-8, and I used CA.pl for this. I can create files with Unicode characters and have no other issues, but the cert has "Organizaução" instead of "Organização".

Any tips? Escaping the characters (how)? Dumbing down the locale to ISO/IEC 8859-1? Using some non-shell method? Am i missing something obvious?

On a side note, is there an easy way (i.e. 4ummies™) to distribute the certificate, so a user can just click and install? All the guides i've seen involve too many windows for a regular user to bother with; and without installing it the browser will yelp every time the user visits (except Firefox which allows an easy installation via the warning box).

Edit 1

Checking the asn1parse manpage and using its example:

openssl asn1parse -genstr 'UTF8:Organização'

produces:

0:d=0  hl=2 l=  17 prim: UTF8STRING        :Organização

So i assume it's a problem with the input. This is my locale information:

LANG=pt_PT.utf8
LANGUAGE=en_US:en
All LC_* fields="pt_PT.utf8"
LC_ALL=

I have no problems touching Organização or any other files with nonASCII characters, yet my CA cert gets dumbed down to 8bits.

Edit 2

I've started with this tutorial, but went on to reading the OpenSSL man. In reading the req man i came across this in the bugs section: As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString

So i tried with:

openssl asn1parse -genstr 'BMP:Organização'

and end up with an empty string:

0:d=0  hl=2 l=  26 prim: BMPSTRING
like image 350
vesperto Avatar asked May 11 '14 23:05

vesperto


People also ask

How do I name an SSL certificate?

It must precisely match the server name where the certificate is installed. If the certificate is issued for a subdomain, it should be the full subdomain. For instance, for the www and api subdomains of example.com , the common name will be www.example.com or api.example.com , and not example.com .

What is organizational unit in SSL certificate?

OU stands for Organizational Unit, this is a field in the Subject information in an SSL certificate. The Subject part of a certificate contains information about the organization to which the certificate has been issued, in case of certificates with company data (organization and extensive validation).


2 Answers

Decode the string into escaped-ASCII and specify on the command line. For the Univeristät Innsbruck, the umlaut-a must be translated into ASCII bytes. The Unicode tables show that it is U+00E4 which must be represented by the hex character sequence c3 a4. To get that on the command-line, I do:

server=test.uibk.ac.at
openssl req -nodes -newkey rsa:2048 -keyout $server.key -out $server.csr \
-subj '/C=AT/ST=Tyrol/L=Innsbruck/O=Universit\\xC3\\xA4t Innsbruck/OU=IT Services/CN='"$server"

Note, the double-backslashes and single quotes are both required. To test the effect:

openssl x509 -in test.uibk.ac.at.crt -noout -text |grep Subject:

we see

Subject: C=AT, ST=Tyrol, L=Innsbruck, O=Universit\xC3\xA4t Innsbruck, OU=IT Services, CN=test.uibk.ac.at

In the browser, we verify the key and see "Universität Innsbruck" as expected.

like image 42
Otheus Avatar answered Sep 20 '22 14:09

Otheus


Followed another tutorial and adapted the certificate creation to:

openssl req -new -x509 -days 365 -utf8 -out cert.pem -keyout key.pem

I opted to populate the default config file with the answers to the questions (instead of supplying them via the prompt) and added a commented non-ASCII character just to make sure it's a unicode file (kinda unnecessary i guess but file made me happy by saying UTF-8 Unicode text).

like image 57
vesperto Avatar answered Sep 18 '22 14:09

vesperto