OpenSSL CSR signing error: The countryName field needed to be the same in the CA certificate and the request
Code:
# openssl ca -cert certs/ca.crt -keyfile certs/ca.key -in certs/testfed.csr -out certs/testfed.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (NL) and the request (RO)
This is a generic OpenSSL error that occurs when the certificate signing request (CSR) countryName and the CA certificate countryName are not the same. When OpenSSL is used as certificate authority for signing requests and default openssl settings in openssl.cnf are in place, this restriction also applies to stateorProvince and organizationName.
To be able to sign certificate requests from with different countryName, stateOrProvinceName or organizationName than the authority's certificate, edit openssl.cnf file, go to [ policy_match ] section and modify the restrictions accordingly. In my case, I have changed the "match" policy to "optional":
Code:
openssl.cnf
...
# For the CA policy
[ policy_match ]
#countryName = match
countryName = optional
#stateOrProvinceName = match
stateOrProvinceName = optional
#organizationName = match
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
OpenSSL CSR signing error: The countryName field needed to be the same in the CA certificate and the request
[code]
# openssl ca -cert certs/ca.crt -keyfile certs/ca.key -in certs/testfed.csr -out certs/testfed.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (NL) and the request (RO)
[/code]
This is a generic OpenSSL error that occurs when the certificate signing request (CSR) countryName and the CA certificate countryName are not the same. When OpenSSL is used as certificate authority for signing requests and default openssl settings in openssl.cnf are in place, this restriction also applies to stateorProvince and organizationName.
[b]To be able to sign certificate requests from with different countryName, stateOrProvinceName or organizationName than the authority's certificate[/b], edit openssl.cnf file, go to [ policy_match ] section and modify the restrictions accordingly. In my case, I have changed the "match" policy to "optional":
[code]
openssl.cnf
...
# For the CA policy
[ policy_match ]
#countryName = match
countryName = optional
#stateOrProvinceName = match
stateOrProvinceName = optional
#organizationName = match
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[/code]
News 
Site map 
SitemapIndex 
RSS Feed 