I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
Best Answer
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
/crypto/asn1/a_mbstr.c
in your favorite editorSearch for something that looks like the following:
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
README
file to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmake
which dropped the new openssl binary in/build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
Using the stock
openssl
binaries (or the modified ones, if you want), sign the CSR:After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.