How to create CSR with utf8 subject in openssl?

Question

I am trying to generate Certificate Signing Request with UTF-8 subject.

$ openssl req  -utf8 -nodes -newkey rsa:2048 -keyout my.private_key.pem -out my.csr.pem          


        

Answer 1

I've been successful with command

openssl req -new -utf8 -nameopt multiline,utf8 -config example.com.cnf -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Where example.com.cnf is a configuration file in UTF-8:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext

[dn]
CN = Описание сайта                # Site description
emailAddress = envek@envek.name
O = Моя компания                   # My company
OU = Моё подразделение             # My dept
L = Москва                         # Moscow
C = RU

[ext]
subjectAltName = DNS:example.com,DNS:*.example.com

Displayed correctly in Chrome, Firefox, and Safari.

Answer 2

Try using the string_mask option:

string_mask

This option masks out the use of certain string types in certain fields. Most users will not need to change this option.

It can be set to several values default which is also the default option uses PrintableStrings, T61Strings and BMPStrings if the pkix value is used then only PrintableStrings and BMPStrings will be used. This follows the PKIX recommendation in RFC2459. If the utf8only option is used then only UTF8Strings will be used: this is the PKIX recommendation in RFC2459 after 2003. Finally the nombstr option just uses PrintableStrings and T61Strings: certain software has problems with BMPStrings and UTF8Strings: in particular Netscape.

Answer 3

Any unicode work for me, from php file.

<? shell_exec('openssl req -new -md5 -utf8 -key C:/Temp/1.key -out C:/Temp/1.csr -subj "/C=MD/ST=ff/O=Religie/OU=Cen/CN=中国/emailAddress=test@religiasatanista.ro" -config C:/Temp/openssl.cnf'); ?>