Unexpected two dots for custom x509 extension

[e-cloud]

I am trying to add custom x509 extension when creating a self-signed certificate. The exmple code follows behind.
They run fine.

However, when I check the generate certificate, the custom extension item in the output shows with extra symbols ...

Am I do something wrong?

---

cat <<EOT >> openssl.cnf
[ req ]
default_bits        = 2048
default_md          = sha256
distinguished_name  = req_distinguished_name
req_extensions      = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = California
localityName                = Locality Name (eg, city)
localityName_default        = San Francisco
organizationName            = Organization Name (eg, company)
organizationName_default    = My Company
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = mycompany.com

[ req_ext ]
subjectAltName = @alt_names
1.2.3.4.5 = ASN1:UTF8String:hello world

[ alt_names ]
DNS.1 = mycompany.com
EOT

# Generate the private key
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

# Generate the CSR using the configuration file
openssl req -new -key private.key -out request.csr -config openssl.cnf

# Generate the self-signed certificate including the custom extension
openssl x509 -req -in request.csr -signkey private.key -out certificate.pem -extfile openssl.cnf -extensions req_ext

# Verify the certificate to ensure correct encoding
openssl x509 -in certificate.pem -text -noout

the output is

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            41:33:39:24:e6:16:8b:50:59:69:81:9d:dc:21:5e:f9:32:5e:ce:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=San Francisco, O=My Company, CN=mycompany.com
        Validity
            Not Before: May 16 06:54:41 2024 GMT
            Not After : Jun 15 06:54:41 2024 GMT
        Subject: C=US, ST=California, L=San Francisco, O=My Company, CN=mycompany.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cd:bd:c8:ba:42:2d:f4:34:57:e4:8e:a2:a2:66:
                    b8:b4:65:41:b0:0e:d4:dd:33:41:f0:30:7c:b1:8e:
                    1c:ec:eb:0f:0d:8a:84:52:1c:7b:27:23:3f:f3:e0:
                    ee:df:f8:95:96:58:6b:e7:c0:9e:22:c4:b8:8e:d4:
                    3d:1f:9f:b6:73:70:94:b9:d5:2d:58:c9:34:31:be:
                    da:58:02:d9:f6:95:d1:a8:48:12:12:72:d0:05:61:
                    48:7d:75:69:97:9c:f2:ce:c2:5e:f5:98:a3:40:8f:
                    2c:7d:34:c9:be:14:ee:3d:b4:e3:12:a5:f9:2b:6d:
                    4e:d3:5d:c8:8b:fa:97:9b:4c:b7:1c:22:32:d5:ac:
                    87:a3:3f:5d:f6:89:7d:e2:24:e7:12:aa:67:bf:fc:
                    30:f6:e5:18:13:53:df:ac:33:e2:e5:ac:74:36:24:
                    88:d6:63:9a:4d:0c:75:08:7d:2e:24:d8:a2:70:47:
                    30:34:31:8f:e5:95:12:95:95:8d:c9:0e:cd:bd:6c:
                    5c:40:01:a3:7c:87:37:fc:16:42:50:5a:dd:7d:e7:
                    27:81:f6:04:24:d0:a5:3d:29:2d:07:46:09:89:ec:
                    6f:e2:13:78:20:34:5f:ce:7b:ad:d4:c9:cd:7c:89:
                    f4:bf:8d:41:cf:7c:35:c8:62:b2:00:ba:a5:ef:44:
                    0f:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:mycompany.com
            1.2.3.4.5: 
                ..hello world
            X509v3 Subject Key Identifier: 
                6C:DF:2F:1B:AB:57:BD:71:AC:8A:BE:A1:2B:F3:EC:BE:E5:7A:2C:25
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        94:d4:fa:16:9c:7d:b0:69:03:d7:05:9b:aa:ad:d8:75:b8:32:
        a1:86:d8:4c:17:88:83:8e:17:1e:ff:49:e8:6a:68:cf:37:61:
        56:76:9f:dd:e2:d7:a5:99:93:1a:67:de:60:a5:b0:81:55:e3:
        7e:d1:c6:df:27:7c:41:b7:c4:8a:52:13:42:1c:f1:43:0a:6c:
        40:21:55:bc:3b:c8:83:a3:f4:4b:ff:ab:b0:33:51:e4:99:f8:
        4d:cb:26:9c:ad:1c:09:ef:dd:90:18:80:9a:bb:02:1e:4d:08:
        3a:05:c8:d8:de:7a:83:80:a2:1b:7b:67:fc:bf:0f:2a:39:70:
        17:91:18:60:2a:59:bb:b2:00:d3:01:0b:14:91:80:39:66:0d:
        92:9f:26:9b:a4:c3:b0:50:d1:4c:57:96:22:ce:31:5c:33:f2:
        36:98:d8:4a:0c:85:f6:dd:98:90:5c:a1:18:66:f0:03:ec:1a:
        8a:6b:20:69:d9:c2:c6:e3:03:da:59:ce:3b:73:33:4a:fd:c2:
        ce:52:16:9c:1a:11:05:3c:d8:4c:33:e9:65:44:78:6c:2b:e0:
        89:e6:86:40:19:2d:aa:f8:64:ee:83:79:0e:b9:f0:cb:d0:b9:
        1f:64:43:b5:88:76:c3:6d:fb:b1:89:3b:5a:33:ea:22:d6:65:
        9d:06:e8:5c

[botovq]

This is expected. The two dots are just part of a hexdump of the extension's value, which you configured to be a UTF8String. From openssl asn1parse -i -in certificate.pem:

  605:d=4  hl=2 l=  21 cons:     SEQUENCE
  607:d=5  hl=2 l=   4 prim:      OBJECT            :1.2.3.4.5
  613:d=5  hl=2 l=  13 prim:      OCTET STRING      [HEX DUMP]:0C0B68656C6C6F20776F726C64

The first dot is 0C, the ASN.1 tag for UTF8String, and the second dot is 0B, the length. The remaining octets encode hello world in ASCII.

Less clunky tools such as der-ascii show

        SEQUENCE {
          OBJECT_IDENTIFIER { 1.2.3.4.5 }
          OCTET_STRING {
            UTF8String { "hello world" }
          }
        }

which is what it should be.