I can create a self signed certificate using openSSL as follows:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes
The interface somehow restricts me to 64 bytes for the common name. How can I create a certificate that has a common name longer than 64 bytes?
In my case, all the answers of "don't do this, it's against standards" were very unhelpful since I needed to do this as part of a reverse engineering challenge. In my case, the fact that it was against the standards didn't matter whatsoever.
Here are the (rough) steps:
/crypto/asn1/a_mbstr.c in your favorite editorSearch for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the README file to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I used cmake which dropped the new openssl binary in /build/apps/openssl
Generate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
Using the stock openssl binaries (or the modified ones, if you want), sign the CSR:
openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. I have noticed quite a few issues with using certificates with CNs longer than 64 characters (Wireshark truncates the CN in the disector display, etc) but it does in fact work for what I needed.
You can't.
The specified max limit is 64:
-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds
-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
In addition to Allison's excellent answer, I discovered that other certificate generation tools don't always follow this CN limit like openssl does.
For example: I made a simple self-signed cert and key generation script using Golang, where you can set a CN to be arbitrarily long.
Here is my solution that you can run in your browser or copy the code to modify and execute locally: https://go.dev/play/p/GbdoV0UEmFb
This code will generate a key, sign the cert, and print both out in the output in PEM format (similar to the openssl commands used in this thread). Please read through the comments if considering using this for anything important. Here is proof of the long CN when using openssl to read the generated cert from this script:
$ openssl x509 -text -noout -in playground.crt | head -n 11
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a8:fd:bf:b8:f3:f9:85:09:36:28:89:fa:65:27:33:ed:19:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = MY REALLY LONG COMMON NAME THAT IS DEFINITELY LONGER THAN 64 CHARACTERS
Validity
Not Before: Nov 10 23:00:00 2009 GMT
Not After : Nov 10 23:00:00 2010 GMT
Subject: CN = MY REALLY LONG COMMON NAME THAT IS DEFINITELY LONGER THAN 64 CHARACTERS
