I am generating a CA certificate with openssl version 1.0.1e with the following commands:
openssl ecparam -out ec_key.pem -name secp384r1 -genkey openssl req -new -key ec_key.pem -x509 -nodes -days 1460 -out ec_ca_cert.pem
At the end of this process I enter DN fields as follow:
Country Name (2 letter code) [AU]:US State or Province Name (Full Name) [Some-State]:Florida Locality Name (eg, city)[]:Miami Organization Name (eg, company) [Internet Widgits Pty Ltd]:Coca Cola Organization Unit Name (eg, section) []:Drinks Common Name (e.g. server FQDN or YOUR name) []:Miki Email Address []:
I convert the ec_ca_cert.pem certificate to DER format:
openssl x509 -in ec_ca_cert.pem -inform PEM -out ec_ca_cert.der -outform DER
When I edit the ec_ca_cert.der file with an HEX editor, I can clearly see that the Country field is encoded as PRINTABLESTRING (Type=0x13) while all the other fields (Locality Name, Organization Name, Organization Unit Name, Common Name) are encoded as UTF8STRING (Type=0x0c).
Is there a reason for this, or is there a problem in my process, or an openssl issue?
I got the following answer in openssl-users forum: "countryName is ALWAYS a PrintableString, and is ALWAYS 2 characters long. See X.520 for a normative definition, included in RFC5280 for information. "