Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Mon Aug 15, 2022 2:38 pm


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req
Author Message
Post subject: OpenSSL signing error: The countryName field needed to be the same in the CA certificate and the req  |  Post Posted: Thu Jan 08, 2015 11:38 am
OpenSSL CSR signing error: The countryName field needed to be the same in the CA certificate and the request

Code:
# openssl ca -cert certs/ca.crt -keyfile certs/ca.key -in certs/testfed.csr -out certs/testfed.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (NL) and the request (RO)


This is a generic OpenSSL error that occurs when the certificate signing request (CSR) countryName and the CA certificate countryName are not the same. When OpenSSL is used as certificate authority for signing requests and default openssl settings in openssl.cnf are in place, this restriction also applies to stateorProvince and organizationName.

To be able to sign certificate requests from with different countryName, stateOrProvinceName or organizationName than the authority's certificate, edit openssl.cnf file, go to [ policy_match ] section and modify the restrictions accordingly. In my case, I have changed the "match" policy to "optional":
Code:
openssl.cnf
...
# For the CA policy
[ policy_match ]
#countryName            = match
countryName             = optional
#stateOrProvinceName    = match
stateOrProvinceName     = optional
#organizationName       = match
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO