Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Signing a certificate with my CA

Tags:

certificate

openssl

On running:

openssl ca -in ${ALIAS}.csr -out user-cert.pem -keyfile cacert-private.pem -cert cacert.pem -passin pass:$PASSWD -config ${CONFIG}

I get:

The stateOrProvinceName field needed to be the same in the CA certificate (Gloucestershire) and the request (Gloucestershire)

I've read the error a few times and I'm fairly sure the field is the same value in each case. I have found references to similar problems being caused by different encodings but I don't know how I should be specifying that and where.

This is the ${ALIAS}.csr:

-----BEGIN NEW CERTIFICATE REQUEST----- MIICxzCCAa8CAQAwgYExCzAJBgNVBAYTAkdCMRgwFgYDVQQIEw9HbG91Y2VzdGVyc2hpcmUxEzAR BgNVBAcTCkNoZWx0ZW5oYW0xHzAdBgNVBAoTFldhbnNkeWtlIEhvdXNlIExpbWl0ZWQxDjAMBgNV BAsTBUZpemlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDWvivt1JHiuaNeadOQJtxynQ4sSAR/peWgKd8g9UQgNM+H9QW4NlRE81+g63BdRqZT5YMm J4K3upovQNlDRklevslgEYoTdQM4yBKV676Q4XDbM7Vk+rt04sqL5IgdsAUXODfMJvu81t3tOjFc OGO7S+B+LEJ1+8qshLbuK2gBigfgcZtlbNgW6fCGik8ZsrKWl8W+NFbw1seS01INAipwCBasxaaj /lINwWQVbQIG09+vEdwuHmmq5VIKlJqFcYNUTFBVojoJLfzyStZR2PfFUxp7R+t2YmVj6a48B7NA lODnIlQDkAprECNMpCZoSP1QjrZgW1BgaVbT5OaWlVsPAgMBAAGgADANBgkqhkiG9w0BAQUFAAOC AQEAvalFyJOgzmd1jcFlS5YoqiNgX1bm9nZ0/cFgj6cGL7R0Gqc9wu5QPakWRxa9c2UcI0m7p1lp cygDvQTY23LEBhVcruymIGQG5DhDpXHeaBCbV3OWO6xowAjh+riQjvTNeVSXtP3jUNs5DaId0z+A GXeb7dR96jhyj+soNYENoQseQLqLdAW4p0jdK1BraMJTc0ber0FBx1nOUXOEoTIJL9kL9cUWaCp3 7uYkonIPtVCCfS8KcgXxUsNMC41q/SkKDVB23PeCjnWgcyXxnSpx8n+AK7fwMgh+4TcZ5usmVujR MNqk84hZpw8h1FIcmqRaWtaPWyv3EX8JH5LTnDe3eQ== -----END NEW CERTIFICATE REQUEST-----

And cacert.pem:

-----BEGIN CERTIFICATE----- MIIDQDCCAqmgAwIBAgIJAPj9mvMDl1K/MA0GCSqGSIb3DQEBBQUAMIG4MQswCQYD VQQGEwJHQjEYMBYGA1UECAwPR2xvdWNlc3RlcnNoaXJlMRMwEQYDVQQHDApDaGVs dGVuaGFtMR8wHQYDVQQKDBZXYW5zZHlrZSBIb3VzZSBMaW1pdGVkMQ4wDAYDVQQL DAVGaXppbzESMBAGA1UEAwwJbG9jYWxob3N0MTUwMwYJKoZIhvcNAQkBFiZyaWNo YXJkLm1pZHdpbnRlckB3YW5zZHlrZS1ob3VzZS5jby51azAeFw0xMTA4MDcyMTU4 NDBaFw0yMTA4MDQyMTU4NDBaMIG4MQswCQYDVQQGEwJHQjEYMBYGA1UECAwPR2xv dWNlc3RlcnNoaXJlMRMwEQYDVQQHDApDaGVsdGVuaGFtMR8wHQYDVQQKDBZXYW5z ZHlrZSBIb3VzZSBMaW1pdGVkMQ4wDAYDVQQLDAVGaXppbzESMBAGA1UEAwwJbG9j YWxob3N0MTUwMwYJKoZIhvcNAQkBFiZyaWNoYXJkLm1pZHdpbnRlckB3YW5zZHlr ZS1ob3VzZS5jby51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA03Y4hYdd at3e3AB98s+E5wlxrvRL8RhJtRac0Jt0gXQy12ZYziFm3gryx0IG02srXluM+V3/ BPRRCLsnEnltfoi/fE0wM9MT0V1Ao9EXQ5t1E2rOzdoXUUdvovd6qvwG2L/DHCdL kKjhokVR9TkFW/AWctBdWkb9qfFFTpDY4i0CAwEAAaNQME4wHQYDVR0OBBYEFHbG d3+Lzax90slk65y1BYDgZ897MB8GA1UdIwQYMBaAFHbGd3+Lzax90slk65y1BYDg Z897MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEArZ2yfTGJK3R+jRwP FjaonDy1NVOt9tgjHfyh9YNQfyFSC7R987wFPcyydEqh8xg/Lb3WGwseDuzCBusw jmVIqiUYBClHzkF3jG1766ltdlVVTOavVQgQMRBGMvpHVxcMH2RUNUyWH0XW+DH2 /uuRRpu4vX5sfEW75uEfORB9Mrg= -----END CERTIFICATE-----

Any ideas? Thanks in advance.

like image 385
rich Avatar asked Aug 07 '11 22:08

rich

People also ask

What is the use of CA signed certificate?

A certificate authority (CA) signed certificate is a certificate that is issued by a trusted third party. As it is signed by a certificate authority, the certificate provides assurance that the public key of the certificate truly belongs to the entity for which it is issued.

What is CA in signature?

Digital Certificates issued by Recognized CA This Digital Certificate is issued by a Certificate Authority (CA) to verify the identity of the certificate holder.

What is difference between CA and self-signed certificate?

A self-signed certificate is created, signed, and issued by the subject of the certificate (the entity it is issued to), while a CA certificate is created, signed, and issued by a third party called a certificate authority (CA) that is authorized to validate the identity of the applicant.

2 Answers

You can also set the attributes as optional:

# For the CA policy  [policy_match] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional
like image 153
Yogesh Chawla Avatar answered Sep 29 '22 08:09

Yogesh Chawla

I have also run into this problem. Thanks to the replies above (mainly Francois), I discovered the source of the problem.

openssl is encoding using UTF8STRING and keytool (Java 6) is encoding with PRINTABLESTRING.

Worked around it by changing the openssl configuration so it matches keytool. In /usr/ssl/openssl.cnf change the "string_mask" setting to "pkix".

like image 39
Reg Whitton Avatar answered Sep 29 '22 06:09

Reg Whitton
Sign in to Comment

Related questions

Create CSR using existing private key
cURL error 60: ssl certification issue when attempting to use symfony
How do you fix "code object is not signed at all In subcomponent:" in Xcode 6, Mac OS X Yosemite or Mavericks?
How can I decode a SSL certificate using python?
How do I create my own wildcard certificate on Linux?
What causes "Neither PUB key nor PRIV key:: nested asn1 error" when building a public key in ruby?
What certificates are trusted in truststore?
NodeJS & SSL - "bad password read"
Get certificate fingerprint of HTTPS server from command line?
HTTP error 403.16 - client certificate trust issue
PKIX path building failed: unable to find valid certification path to requested target
"Warning: unable to build chain to self-signed root for signer" warning in Xcode 9.2
"The credentials supplied to the package were not recognized" error when authenticating as server with certificate generated using BouncyCastle
Developing for iOS on multiple computers, testing on a single device, advice?
An error has occurred. Unable to import an item. The contents of this item cannot be retrieved. Missing .pem file
Android Studio: Server's certificate is not trusted
Get list of certificates from the certificate store in C#
key chain warning The “System Roots” keychain cannot be modified [closed]
Bouncycastle: X509CertificateHolder to X509Certificate?
heroku: set SSL certificates on Free Plan?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!