OpenSSL self signed certificate with a common name longer than 64 bytesTrust a self signed PEM certificateRSA...
Are employers legally allowed to pay employees in goods and services equal to or greater than the minimum wage?
A trip to the library
"Table of Astronomy's" depiction of the solar system models
Installing Windows to flash UEFI/ BIOS, then reinstalling Ubuntu
Will using a resistor in series with a LED to control its voltage increase the total energy expenditure?
If "more guns less crime", how do gun advocates explain that the EU has less crime than the US?
Escape Velocity - Won't the orbital path just become larger with higher initial velocity?
How can I communicate my issues with a potential date's pushy behavior?
What unique challenges/limitations will I face if I start a career as a pilot at 45 years old?
How can I find an old paper when the usual methods fail?
How was the murder committed?
Why aren’t there water shutoff valves for each room?
Are there any lower-level means of travelling between planes of existence?
Are there any other rule mechanics that could grant Thieves' Cant?
Why command hierarchy, if the chain of command is standing next to each other?
What are those bumps on top of the Antonov-225?
What kind of liquid can be seen 'leaking' from the upper surface of the wing of a Boeing 737-800?
Why aren't rainbows blurred-out into nothing after they are produced?
How should I write this passage to make it the most readable?
How do I call a 6-digit Australian phone number with a US-based mobile phone?
Big number puzzle
Why is tert-butoxide often used in elimination reactions when it is not necessary?
Modeling the uncertainty of the input parameters
Change page title from Views preprocess function
OpenSSL self signed certificate with a common name longer than 64 bytes
Trust a self signed PEM certificateRSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference?How can I sign as CA a multi domain certificateHow to create keystore and truststore using self-signed certificate?Create self-signed certificate with end-date in the pastopenssl is not creating certificates with expected expiration dateHow do I find the ultimate CA cert in a 'valid' certificateCreating a *.local ssl certificateSelf-Signed Certificate with CRL DP? Is this even possible?Error using openssl with socat - SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
openssl
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
add a comment |
I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
openssl
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
add a comment |
I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
openssl
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
openssl
openssl
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
asked Oct 6 '15 at 17:51
SivaDotRenderSivaDotRender
5042 gold badges7 silver badges9 bronze badges
5042 gold badges7 silver badges9 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor
Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
add a comment |
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f234324%2fopenssl-self-signed-certificate-with-a-common-name-longer-than-64-bytes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor
Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
add a comment |
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor
Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
add a comment |
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor
Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor
Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
edited 15 hours ago
muru
43.7k5 gold badges110 silver badges181 bronze badges
43.7k5 gold badges110 silver badges181 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
answered 15 hours ago
SirensSirens
1931 silver badge9 bronze badges
1931 silver badge9 bronze badges
add a comment |
add a comment |
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
add a comment |
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
add a comment |
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
answered Oct 6 '15 at 18:17
Andrew HenleAndrew Henle
2,93510 silver badges12 bronze badges
2,93510 silver badges12 bronze badges
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
add a comment |
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
1
1
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
what if I do not care about the validity of the certificate and I just need it for testing? i believe I would have to manually edit the certificate in this case
– SivaDotRender
Oct 6 '15 at 18:20
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f234324%2fopenssl-self-signed-certificate-with-a-common-name-longer-than-64-bytes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
