Is there a way to change the string format for an existing CSR "Country Code" field from UTF8 to Printable String?

Posted by Mike B on Server Fault See other posts from Server Fault or by Mike B
Published on 2012-08-29T20:16:21Z Indexed on 2012/08/29 21:40 UTC
Read the original article Hit count: 308

Filed under:
|
|
|
|

CentOS 5.x

The short version:

Is there a way to change the encoding format for an existing CSR "Country Code" field from UTF8 to Printable String?

The long version:

I've got a CSR generated from a product using standard java security providers (jsse/jce). Some of the information in the CSR uses UTF8 Strings (which I understand is the preferred encoding requirement as of December 31, 2003 - RF 3280).

The certificate authority I'm submitting the CSR to explicitly requires the Country Code to be specified as a PrintableString. My CSR has it listed as a UTF8 string.

I went back to the latest RFC - http://www.ietf.org/rfc/rfc5280.txt. It seems to conflict specifically on countryName. Here's where it gets a little messy...

The countryName is part of the relative DN. The relative DN is defined to be of type DirectoryString, which is defined as a choice of teletexString, printableString, universalString, utf8String, or bmpString. It also more specifically defines countryName as being either alpha (upper bound 2 bytes) or numeric (upper bound 3 bytes). Furthermore, in the appendix, it refers to the X520countryName, which is limited to be only a PrintableString of size 2.

So, it is clear why it doesn't work. It appears that the certificate authority and Sun/Java do not agree on their interpretation of the requirements for the countryName. Is there anything I can do to modify the CSR to be compatible with the CA?

© Server Fault or respective owner

Related posts about security

Related posts about ssl