I am missing something basic and obvious about signing a client's CSR with openssl command.
I have (simulated) two organizations, one is the organization of the certificate authority (exists in California) and the other is the client organization who is in WA state.
I created the certificate authority on a Linux system with openssl command following these steps. http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
I have two files now 1. cakey.pem containing CA's private key. This private is also associated with a passphrase. 2. cacert.pem containing CA's self-signed certificate
Next, I want to sign all CSRs from the clients. A client from Washington state sends me a file client-csr.pem. I am reading this man page about signing CSRs and the examples at the end. http://www.openssl.org/docs/apps/ca.html
The command I am trying and the error message is as follows: I run these commands on the CA"s system, the same system where I created the cakey.pem (CA's private key) and cacert.pem (CA's self-signed certificate)
$ openssl ca -in demoCA/csrs/client-csr.pem -out client-cert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (California) and the request (WA)
The question is why must the state name be the same for both CA-certificate and the client-CSR.
Client is NOT in "California" and so when they create CSR, they put their own state name (WA). As a certificate authority, I have verified that the client is indeed in WA and the CSR file indeed came from them. I want to sign this CSR and return a certificate back to the client.
Solved. Thanks dbasic.
On the CA's system where the signing activity takes place, make a copy of /etc/ssl/openssl.conf and modify it and create a new config file. Use that modified-copy when signing.
cp /etc/ssl/openssl.cnf ./openssl-for-signing-csrs.cnf
And modify the 'countryName', stateOrProvinceName or 'organizationName' to 'supplied'. This indicates that the certificate should use the values from the CSRs and do not attempt to match with the certificate (one would attempt to 'match' only for self-signing, the default openssl.cnf seems to have been made for self-signing and not for a CA)
80,82c80,82
< countryName = match
< stateOrProvinceName = match
< organizationName = match
---
> countryName = supplied
> stateOrProvinceName = supplied
> organizationName = supplied
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With