Any magic about the 64 bytes common-name length limit

[ihipop]

Since I have read about the
RFC3280: https://www.ietf.org/rfc/rfc3280.html#:~:text=ub-common-name-length%20integer%20%3A%3A%3D
RFC5280: https://www.ietf.org/rfc/rfc5280.html#:~:text=ub-common-name-length%20integer%20%3A%3A%3D
and related notaryproject/notary#914

And if I issue a certificate with a common name longer than 64 bytes, easy-rsa will fail with an error

Using Easy-RSA 'vars' configuration:
* /home/*****/CA/vars

Using SSL:
* openssl OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
-----
String too long, must be at most 64 bytes long
Error making certificate request

Easy-RSA error:

easyrsa_openssl - Command has failed:
* openssl req -utf8 -new -newkey ec:/home/*****/CA/pki/15b9edd6/temp.1.1 -keyout /home/*****/CA/pki/15b9edd6/temp.2.1 -out /home/*****/CA/pki/15b9edd6/temp.3.1 -noenc -batch

EasyRSA Version Information
Version:     3.1.7
Generated:   Fri Oct 13 17:27:51 CDT 2023
SSL Lib:     OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
Git Commit:  3c233d279d43e419b0529411ee62bba7a08f0c0f
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.7 | nix | Linux | /bin/bash

WARNING
=======
cleanup - remove_secure_session failed

but your CloudConnexa of OpenVPN allows a common name to exceed 64 bytes

Is there any magic in easy-rsa ?

[ihipop]

I've tried to change the

EASYRSA_DN to cn_only

then change the commonName_max of cn_only to 128 in openssl-easyrsa.cnf
still,the error exists:

Using SSL:
* openssl OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
-----
Error making certificate request
4077017C547F0000:error:06800097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:crypto/asn1/a_mbstr.c:106:maxsize=64

[TinCanTech]

Also, try changing easyrsa:6242:

commonName_max		= 64

[ihipop]

Also, try changing easyrsa:6242:

commonName_max		= 64

have you tried? I can't make it work

[TinCanTech]

The max appears to be 64.

[ihipop]

your CloudConnexa of OpenVPN allows a common name to longer than 64 bytes

[TinCanTech]

The EasyRSA commonName 64 character limit is sufficient for sensible requirements.

[TinCanTech]

Taking ASCII characters 0-9 and a-z gives a naming pool of:

36^64 = 4×10⁹⁹

More than enough.

[ihipop]

Taking ASCII characters 0-9 and a-z gives a naming pool of:

36^64 = 4×10⁹⁹

More than enough.

@TinCanTech

If you use OpenVPN web auth, you will find out that every device has a device ID in the form of UUID, which is 36 bytes long

to distinguish every device with different devices with different common name, usually an enterprise email address is prefixed as a part of a common name, Just like what CloudConnexa of OpenVPN does.
for example

TinCanTech@mail.TinCanTech.com/2BB779C3-7765-46AA-9EB2-8E9BFC0500D8

tata, exceed 64bytes~

[TinCanTech]

CloudConnexa obviously have their own solution.