Forum Discussion

Evan_25555's avatar
Evan_25555
Historic F5 Account
Jun 12, 2012

Determining encoding schemes of SSL traffic Certifcates

It's probably worth mentioning that this question has nothing to do with certificate formats (PEM, PKCS...), rather it has to do how attributes of the certificate are encoded.

 

 

When our servers would authenticate to certain mobile users (specifically Android), the "CommonName" attribute appears mangled. According to our security review team, this is due to the fact that the CommonName field is encoded using BMPString which according to RFC 2459 is deprecated:

 

 

“The UTF8String encoding is the preferred encoding, and all certificates issued after December 31, 2003 MUST use the UTF8String encoding of DirectoryString (except as noted below). “

 

 

I have attempted to determine what encoding schemes our certificates use according to this reference without much success:

 

http://www.novell.com/support/kb/doc.php?id=3369938

 

In reviewing the output below, I see no mention of UTF8 or any other encoding scheme. Does anyone have any thoughts concerning how we might establish which encoding scheme is being employed or what clues I might be overlooking in the (sanitized), output below?

 

 

tmp openssl asn1parse -inform DER -in ws.example.com.der

 

0:d=0 hl=4 l=1108 cons: SEQUENCE

 

4:d=1 hl=4 l= 828 cons: SEQUENCE

 

8:d=2 hl=2 l= 3 cons: cont [ 0 ]

 

10:d=3 hl=2 l= 1 prim: INTEGER :02

 

13:d=2 hl=2 l= 17 prim: INTEGER :8A6CBD017E6BB38DC6DA228E3B211727

 

32:d=2 hl=2 l= 13 cons: SEQUENCE

 

34:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption

 

45:d=3 hl=2 l= 0 prim: NULL

 

47:d=2 hl=2 l= 88 cons: SEQUENCE

 

49:d=3 hl=2 l= 27 cons: SET

 

51:d=4 hl=2 l= 25 cons: SEQUENCE

 

53:d=5 hl=2 l= 3 prim: OBJECT :organizationName

 

58:d=5 hl=2 l= 18 prim: PRINTABLESTRING :Example, Inc

 

78:d=3 hl=2 l= 33 cons: SET

 

80:d=4 hl=2 l= 31 cons: SEQUENCE

 

82:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName

 

87:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Example, Inc Certificate Services

 

113:d=3 hl=2 l= 22 cons: SET

 

115:d=4 hl=2 l= 20 cons: SEQUENCE

 

117:d=5 hl=2 l= 3 prim: OBJECT :commonName

 

122:d=5 hl=2 l= 13 prim: PRINTABLESTRING :Example SSL CA v1

 

137:d=2 hl=2 l= 30 cons: SEQUENCE

 

 

tmp

 

 

config
design
No RepliesBe the first to reply