I'm having trouble with Comodo/InstantSSL. I think they are not signing certs properly.
Using openssl, I've created an SSL key and CSR for doing SSL on my mail server by doing the following: --------------------------------------------------------------------------------------------- # openssl req -new -nodes -keyout mail.suso.org-key.pem -out mail.suso.org-req.pem -days 365 Generating a 1024 bit RSA private key .............++++++ ....................................................................................++++++ writing new private key to 'mail.suso.org-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Indiana Locality Name (eg, city) [Newbury]:Bloomington Organization Name (eg, company) [My Company Ltd]:Suso Technology Services, Inc. Organizational Unit Name (eg, section) []:suso.org Common Name (eg, your name or your server's hostname) []:mail.suso.org Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # openssl req -in mail.suso.org-req.pem -subject subject=/C=US/ST=Indiana/L=Bloomington/O=Suso Technology Services, Inc./OU=suso.org/CN=mail.suso.org/[EMAIL PROTECTED] -----BEGIN CERTIFICATE REQUEST----- [SNIPPED FROM THIS EMAIL] -----END CERTIFICATE REQUEST----- --------------------------------------------------------------------------------------------- Then I sent the CSR from the mail.suso.org-req.pem file to Comodo to get signed by a recognized CA. When I get the signed cert back, the subject of the cert is not the same as what it is in the CSR I sent them. In fact, it is the information that they have in their own database for my account. Which right now is for a different company because last time I created a cert this same thing happened. After explaining to them the situation and that they should be using the info from the CSR to sign certs, they claimed that they understood what I was talking about and that if I emailed them (instead of using their web form) the CSR again with the correct information, that they would generate a new certificate with the subject from the CSR. So, after checking the subject in the CSR cert, I sent them the same CSR that I sent them through the web form. Within an hour I got a new certificate with the same problem as before, it had the subject that was not from the CSR, but from their own database. So now I'm wanting to double check myself. Are CAs supposed to be using the CSRs for the subject in the cert that you get back? What do you all think about this situation? -- Suso Banderas [EMAIL PROTECTED] ________________________________________________________________________ Linux: be root. - Windows: reboot. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
