Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Jun 28, 2017 2:18 pm


Firewals, computer, server and network security, kernel and applications security of FreeBSD/Linux/AIX systems.

Author Message
mandrei99
Post  Post subject: OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req  |  Posted: Thu Jan 08, 2015 11:38 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req

OpenSSL CSR signing error: The countryName field needed to be the same in the CA certificate and the request

Code:
# openssl ca -cert certs/ca.crt -keyfile certs/ca.key -in certs/testfed.csr -out certs/testfed.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (NL) and the request (RO)


This is a generic OpenSSL error that occurs when the certificate signing request (CSR) countryName and the CA certificate countryName are not the same. When OpenSSL is used as certificate authority for signing requests and default openssl settings in openssl.cnf are in place, this restriction also applies to stateorProvince and organizationName.

To be able to sign certificate requests from with different countryName, stateOrProvinceName or organizationName than the authority's certificate, edit openssl.cnf file, go to [ policy_match ] section and modify the restrictions accordingly. In my case, I have changed the "match" policy to "optional":
Code:
openssl.cnf
...
# For the CA policy
[ policy_match ]
#countryName            = match
countryName             = optional
#stateOrProvinceName    = match
stateOrProvinceName     = optional
#organizationName       = match
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. How to check HTTPS site certificate chain with OpenSSL

mandrei99

0

916

Fri Oct 04, 2013 10:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. OpenSSL certificate authority (CA) - how to copy x509 extensions from CSR to signed PEM

mandrei99

0

997

Thu Jan 08, 2015 11:59 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO