I am trying to use certificate with openssh for user and server authentication according to the guideline of http://roumenpetrov.info/.

Fist, both the server and client use self-signed certificate generated by openssh. In this case, openSSH works fine with the certificate authenctication.

Second, the server and client apply for a certificate (in DER format) signed by our company, which contain UTF8 coding (i.e. it contains Chinese). I convert the certificate in DER format to the one in PEM format with the command:

openssl x509 –in server.der –inform DER -out server.pem –outform PEM

Then, I extract the DN of the server certificate with the command:

IPSEC:~/.ssh# openssl x509 -noout -subject -in server-root.pem

subject= /C=TW/O=\xE4\xB8\xAD\xE8\x8F\xAF\xE9\x9B\xBB\xE4\xBF\xA1 \xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\x E5\x85\xAC\xE5\x8F\xB8/CN=yjchu-server

At this time, I add the above result to the file "/usr/local/etc/ssh_known_hosts" on the client side.

However, when the client connects to the remote ssh server and performs server authentication, the following error message appears:


yjchu@Friday:~/.ssh$ ssh -v

OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /usr/local/etc/ssh_config


debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

x509key_str2X509NAME: X509_NAME_add_entry_by_NID fail with errormsg='error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long' for nid=17/organizationName and data='\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xB B\\xE4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE 6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8 F\\xB8'

key_read: uudecode Subject:/C=TW/O=\\xE4\\xB8\\xAD\\xE8\\x8F\\xAF\\xE9\\x9B\\xBB\\x E4\\xBF\\xA1\\xE8\\x82\\xA1\\xE4\\xBB\\xBD\\xE6\\x 9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\x B8/CN=yjchu-server


No RSA+cert host key is known for and you have requested strict checking.

Host key verification failed.


Does anybody know how to solve the problem?


Yann-Ju Chu