Invalid characters in Cert Manager



  • I'm having problems generating certificates in Cert Manager, since the Organization Name contains a period - pfSense claims that this is an invalid character. I found this topic, which somewhat vaguely lists "< > ~ ! @ # $ % ^ / \ ( ) ? . , &" as being invalid, however the only places I've seen these characters listed are on some CA's "How to generate CSR" pages (and they appear to have all come from the same origin, since the wording is nearly identical). I can't see anything about this in RFC 5280 (the closest I can find is that most fields have an option to use PrintableString, which does limit certain characters [but not .], however it's not the only choice for said fields).

    Is this a bug in Cert Manager, or did I miss something?


  • Rebel Alliance Developer Netgate

    Here is the original bug where the input validation was added: https://redmine.pfsense.org/issues/1437

    If we reject the characters, odds are they are really out-of-spec or openssl barfed on them (or the PHP openssl module did…)

    Digging at it again, I find that many of the strings (CN, OU, O, L, ST, STREET, TITLE, UID) are "Directory String" type and RFC 4514 has the latest standard that defines the allowable characters for that. It excludes the following list, which are actually still allowed if they are escaped:

    ' ', '"', '#', '+', ',', ';', '<', '=', '>', or ''

    It's possible we could relax the input validation there (or add escaping for these characters), provided it did not cause any problems with openssl or other related items.


  • Rebel Alliance Developer Netgate

    Escaping seems to work pretty well. I went ahead and committed some changes to 2.4 to bring us more in line with RFC 4514 on the allowed characters. I tried a bunch of weird combinations and it worked OK all-around, at least creating CA/Certs and such. There may be some other areas that need work yet (openvpn wizard, perhaps).

    https://redmine.pfsense.org/issues/7540
    https://github.com/pfsense/pfsense/commit/83d2b83af9953ecbcc5917d935f077e7dabe8e10



  • Thanks!


Log in to reply