On Friday 16 Dec 2011 11:31:59 you wrote: > (Sorry, accidentally hit send, ignore previous mail) > > On 12/15/2011 11:01 PM, Mick wrote: > > Hi All, > > > > I've generated a cakey.pem and cacert.pem on my PC. Uploaded the > > cacert.pem to my router and used its gui to generate a CSR. > > > > When I try to sign this CSR file back on my PC I'm getting this error: > > ===================================== > > $ openssl ca -config ./openssl_VPN.cnf -days 1095 -cert cacert_VPN.pem > > -keyfile VPN_CA/private/cakey_VPN.pem -infiles > > certificate-router-request Using configuration from ./openssl_VPN.cnf > > Enter pass phrase for VPN_CA/private/cakey_VPN.pem: > > Check that the request matches the signature > > Signature ok > > The stateOrProvinceName field needed to be the same in the > > CA certificate (Buckinghamshire) and the request (Buckinghamshire) > > ===================================== > > > > I don't understand why I get this error. Both cacert and > > certificate-router- > > > > request files contain exactly the same ST= field. The cacert_VPN.pem shows: > > Issuer: C=GB, ST=Buckinghamshire, L= [snip ...] > > Subject: C=GB, ST=Buckinghamshire, L= [snip ...] > > > > and the CSR shows: > > Subject: C=GB, ST=Buckinghamshire, L= [snip ...] > > Try repeating those output commands with the option > > -nameopt multiline,show_type
Bingo! :-)
The problem seems to be that the router CSR shows:
stateOrProvinceName = PRINTABLESTRING:Buckinghamshire
while the cacert_VPN.pem shows:
stateOrProvinceName = UTF8STRING:Buckinghamshire
The whole router Subject content is:
Subject:
countryName = PRINTABLESTRING:blah
stateOrProvinceName = PRINTABLESTRING:Buckinghamshire
localityName = PRINTABLESTRING:blah
organizationName = PRINTABLESTRING:blah
organizationalUnitName = PRINTABLESTRING:blah
commonName = T61STRING:blah
while the cacert is:
Subject:
countryName = PRINTABLESTRING:blah
stateOrProvinceName = UTF8STRING:Buckinghamshire
organizationName = UTF8STRING:blah
organizationalUnitName = UTF8STRING:blah
commonName = UTF8STRING:blah
> to determine if the two disagree on the character encoding,
> spacing or other subtle aspect of the ST= part of the name.
>
> If it turns out to be such a subtle difference, please report
> it back to the list as a bug in the openssl code that handles
> the "match" option, and as a workaround change the field to
> "supplied" in the policy but manually inspect each CSR before
> deciding to sign it (This would not work if the match is also
> enforced by a path constraint in the CA cert).
Before I read your message I changed the "match" option to "optional" for the
ST field. Then openssl complained about the organizationName and I changed
that to "optional too. It helped me to issue the certificates - but wasn't
sure if I was doing the right thing.
I have this in the openssl.cnf:
##############################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
##############################################
but even when I replaced it with
string_mask = default
I got the same error. So eventually I left it as utf8only. What should this
option be?
Thank you for your help! :-)
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
