Search code examples
sslopensslprivate-keycsr

OpenSSL: A problem with Field Name abbreviations?

I am trying to create a new private key and CSR file for a colleague with some provided details:

C                      = US
S                      = Florida
L                      = XXXXX
O                      = Foo Inc.
OU                     = IT

I read up on generating keys and CSR using OpenSSL and used a command to create it normally:

openssl req -new -nodes -keyout mydomain.key -out mydomain.csr -subj "/C=US/S=Florida/L=XXXXX/O=Foo Inc./OU=IT/CN="

but this returns an error:

Generating a 2048 bit RSA private key
..................+++
..+++
writing new private key to 'mydomain.key'
-----
req: Skipping unknown attribute "S"
problems making Certificate Request
139945692307904:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:../crypto/asn1/a_object.c:61:
139945692307904:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:../crypto/asn1/a_mbstr.c:102:minsize=1

Am I missing something obvious here? originally gave him a CSR generated normally without the -subj argument (filled in using ubuntu terminal) but he says the inclusion of the "ST" abbreviation is causing a rejection from his CA. The state argument has to be "S". I don't work with SSL very often so Google has not really been helpful in telling me where to look.

Solution

  • Look at man req (from openssl) and specifically the example at end:

        [ req_distinguished_name ]
    C                      = GB
    ST                     = Test State or Province
    L                      = Test Locality
    O                      = Organization Name
    OU                     = Organizational Unit Name
    CN                     = Common Name
    emailAddress           = test@email.address

    The short version of stateOrProvinceName is ST not S.

    I do not know where "but he says the inclusion of the "ST" abbreviation is causing a rejection from his CA." comes from, but that is certainly wrong, and you should get the actual error from the CA directly.

    The reference is the X.520 standard, you can download it from https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items

    In it you can see:

    stateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF  name
WITH SYNTAX UnboundedDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME   {"st"}
ID.         id-at-stateOrProvinceName }

    You can clearly see that the abbreviation is "st" and not "s". It is impossible for a public CA to do things otherwise.