How to correctly display a Chinese certificate using OpenSSL

How to correctly display a Chinese certificate using OpenSSL Author:Liu Kai mslk.sa@gmail.com Source:Http://blog.csdn.net/mslk Posting time:2006-10-23 Browsing times:3896 Font Size:Large, medium and small

How to Use OpenSSL to generate a certificate that correctly displays Chinese Characters

\ Author liukai mslk.sa@gmail.com

Recently, I used OpenSSL to generate a certificate to work with HTTPS. However, I can only use a self-signed certificate without the root certificate signature. When a user accesses https, there will be a security warning, check that the certificate contains a bunch of letters and numbers. If some Chinese prompts are displayed in the certificate, you can understand the certificate, so that you can have less problems.
Certificate requests created by the req subcommand of OpenSSL can only be encoded in ASCII and UTF-8.
The certificate created at the beginning is always garbled, and only one article is found online [Http://www.infosecurity.org.cn/forum/read.php? FID = 11 & tid = 201 & fpage = 1] Is to say how to create a Chinese certificate solution, which also need to modify the OpenSSL source code, carefully looked at his modification method, which is to all ASCII are processed as a UTF-8, because the main modification is:
Case mbstring_asc of switch (inform)
Case mbstring_asc of switch (outform)
Part of the Code.

I felt that he was wrong, so I didn't use his method to modify this part of code. I read the code of case mbstring_utf8. There are mainly two functions that are important, both in the file a_utf8.c.
Utf8_getc function for switch (inform)
Utf8_putc function for switch (outform)
There are a lot of bit operations, because I have been not familiar with Unicode, and read the UTF-8 information,Http://www.linuxforum.net/books/UTF-8-Unicode.htmlHere to extract the important characteristics of UTF-8:

* The UCS character U + 0000 to U + 007f (ASCII) is encoded as byte 0x00 to 0x7f (ASCII compatible ). this means that files containing only 7 ASCII characters are the same in both ASCII and UTF-8 encoding methods.
* All> U + 007f UCOS characters are encoded into a string of multiple bytes, each of which has a tag set. therefore, ASCII bytes (0x00-0x7f) cannot be part of any other character.
* Indicates that the first byte of a Multi-byte string with non-ASCII characters is always in the range from 0xc0 to 0xfd, and indicates the number of bytes contained in the character. the remaining bytes of the multibyte string are in the range of 0x80 to 0 x BF. this makes re-synchronization very easy, and makes the encoding without borders, and is rarely affected by the loss of bytes.
* It can be compiled into all possible 231 UCS code.
* In theory, UTF-8 encoding characters can be up to 6 bytes long, but 16-bit BMP characters can only be up to 3 bytes long.
* The Order of the bigendian UCS-4 byte strings is predetermined.
* Bytes 0xfe and 0xff are never used in UTF-8 encoding.

It is strongly recommended to look at these two functions (utf8_getc, utf8_putc) with these features, will be very fruitful, can fully understand the UTF-8.
Certainly, OpenSSL has fully implemented the UTF-8 function, you can make a Chinese certificate.

After a variety of tests, you can finally use the UTF-8 in the certificate to correctly display Chinese, the method is as follows:
1. If the configuration file is OpenSSL. CNF (under the openssl-0.9.8.d/apps/directory), edit the following:
String_mask = utf8only
Countryname_default = Cn
Stateorprovincename_default = Chinese province name
Localityname_default = Chinese city name
0. organizationname_default = Organization, Company
Organizationalunitname_default = Organization
Commonname_default = Liu Kai's Chinese certificate
2. Use the following command to convert the file format to UTF-8
Iconv-f gbk-T UTF-8 OpenSSL. CNF> openssl_utf8.cnf
3. When using OpenSSL to generate a Certificate Signature request, add-utf8 and specify the configuration file as openssl_utf8.cnf
OpenSSL req-utf8-config openssl_utf8.cnf-New-out server. req
In addition to entering the password, all other keys will enter, and it will be OK.

Then, sign the certificate signature request to generate a Chinese certificate.
OpenSSL X509-in server. req-out server. CRT-signkey privkey. pem-days 365

Now, install server. CRT to view the Chinese information.