Hello: I've been messing with openssl ca, and I think I may have found a (very minor)bug. $ openssl version OpenSSL 0.9.3a 29 May 1999 Given this CA cert: $ openssl x509 -text -in cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=WRQ, Inc., OU=WRQsec, CN=CA 8/5/1999 Validity Not Before: Aug 5 23:19:39 1999 GMT Not After : Sep 4 23:19:39 1999 GMT Subject: C=US, ST=Washington, L=Seattle, O=WRQ, Inc., OU=WRQsec, CN=CA 8/5/1999 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c8:15:57:fa:cd:9f:21:74:d2:a0:e1:36:a6:7d: 61:3b:82:9a:a1:7b:9f:d5:a5:7a:d6:7f:7b:5c:f8: 0c:5d:5f:49:a7:2b:b6:2b:6b:39:fc:a3:1e:fb:5d: 59:e6:a2:d2:29:01:75:82:fc:ed:af:e0:4d:50:95: 57:47:c3:59:c4:fe:ca:d3:29:f7:70:40:cf:ac:19: 0a:c9:a9:34:15:69:29:f3:e7:d0:6b:80:9c:4b:d2: 92:29:36:44:a9:7e:d8:be:c4:0b:b5:b1:1e:76:e8: c0:06:74:34:13:23:74:58:5c:fd:23:41:d5:a6:cb: 6a:55:b5:c0:0f:ff:23:e6:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F1:AE:63:F8:8E:8C:46:E2:3F:05:02:E0:2E:72:7D:24:BD:49:C0:BC X509v3 Authority Key Identifier: keyid:F1:AE:63:F8:8E:8C:46:E2:3F:05:02:E0:2E:72:7D:24:BD:49:C0:BC DirName:/C=US/ST=Washington/L=Seattle/O=WRQ, Inc./OU=WRQsec/CN=CA 8/5/1999 serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 2b:4e:27:36:02:3e:fc:42:9e:39:57:cb:79:bc:53:d0:d3:bb: 51:7f:40:2e:9f:ba:c0:11:d8:71:9c:2a:dc:4f:1e:4d:ff:ea: aa:f4:32:37:4f:2c:80:93:a3:45:d1:92:f0:8a:f5:9b:43:08: 85:bb:31:1b:81:8b:07:f7:a4:01:2e:1d:e2:47:65:e6:51:57: c5:85:14:2f:50:0e:93:41:59:8c:01:a0:b6:9f:9d:f2:77:be: 3f:ed:d9:87:d5:c6:75:4b:b8:98:76:45:91:35:1e:85:d0:03: 9b:0e:63:a8:a2:1d:4c:a6:af:e6:78:09:97:41:b7:83:f5:c0: 36:3c -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQGEwJVUzET MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJ V1JRLCBJbmMuMQ8wDQYDVQQLEwZXUlFzZWMxFDASBgNVBAMTC0NBIDgvNS8xOTk5 MB4XDTk5MDgwNTIzMTkzOVoXDTk5MDkwNDIzMTkzOVowbzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoT CVdSUSwgSW5jLjEPMA0GA1UECxMGV1JRc2VjMRQwEgYDVQQDEwtDQSA4LzUvMTk5 OTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyBVX+s2fIXTSoOE2pn1hO4Ka oXuf1aV61n97XPgMXV9Jpyu2K2s5/KMe+11Z5qLSKQF1gvztr+BNUJVXR8NZxP7K 0yn3cEDPrBkKyak0FWkp8+fQa4CcS9KSKTZEqX7YvsQLtbEedujABnQ0EyN0WFz9 I0HVpstqVbXAD/8j5qECAwEAAaOBzDCByTAdBgNVHQ4EFgQU8a5j+I6MRuI/BQLg LnJ9JL1JwLwwgZkGA1UdIwSBkTCBjoAU8a5j+I6MRuI/BQLgLnJ9JL1JwLyhc6Rx MG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdT ZWF0dGxlMRIwEAYDVQQKEwlXUlEsIEluYy4xDzANBgNVBAsTBldSUXNlYzEUMBIG A1UEAxMLQ0EgOC81LzE5OTmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQF AAOBgQArTic2Aj78Qp45V8t5vFPQ07tRf0Aun7rAEdhxnCrcTx5N/+qq9DI3TyyA k6NF0ZLwivWbQwiFuzEbgYsH96QBLh3iR2XmUVfFhRQvUA6TQVmMAaC2n53yd74/ 7dmH1cZ1S7iYdkWRNR6F0AObDmOooh1Mpq/meAmXQbeD9cA2PA== -----END CERTIFICATE----- And this cert request: $ openssl req -text -in jbloggscert-req.pem Using configuration from /usr/local/ssl/openssl.cnf Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Washington, L=Seattle, O=Int'l Widget, OU=Tool and Die, CN=Joeseph [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:ba:cf:0c:7f:07:f3:0d:87:18:5f:b0:f6:2c:16: 0f:f7:aa:f8:fa:79:6a:38:f3:0e:ac:81:3f:70:5f: 65:48:b6:78:01:4f:c9:57:b4:1b:ea:ff:d8:c5:42: c4:b1:31:f3:d8:e1:fc:6f:32:b0:5e:a8:c2:e5:e8: 1c:07:d5:a8:2f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption a7:aa:e0:23:9e:1d:00:03:ea:6e:a9:78:8a:61:90:89:5d:f0: 50:56:df:29:72:13:f3:f4:39:b4:dc:e8:54:92:40:1e:0a:51: c8:fc:44:a4:36:14:fb:ee:b6:e8:3a:2f:90:a1:c3:96:bf:48: 41:46:2f:95:76:85:ab:cc:af:64 -----BEGIN CERTIFICATE REQUEST----- MIIBWzCCAQUCAQAwgZ8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxJbnQnbCBXaWRnZXQxFTATBgNV BAsTDFRvb2wgYW5kIERpZTEXMBUGA1UEAxMOSm9lc2VwaCBCbG9nZ3MxIjAgBgkq hkiG9w0BCQEWE2pibG9nZ3NAaXdpZGdldC5jb20wXDANBgkqhkiG9w0BAQEFAANL ADBIAkEAus8MfwfzDYcYX7D2LBYP96r4+nlqOPMOrIE/cF9lSLZ4AU/JV7Qb6v/Y xULEsTHz2OH8bzKwXqjC5egcB9WoLwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQCn quAjnh0AA+puqXiKYZCJXfBQVt8pchPz9Dm03OhUkkAeClHI/ESkNhT77rboOi+Q ocOWv0hBRi+VdoWrzK9k -----END CERTIFICATE REQUEST----- And a policy called "organization" that looks like: # Slightly looser policy - must be same company, may be different division [ organization ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress = supplied The CA fails to certify the request, because the Subject has a different organizationName from the CA. That's fine, but I think in the explanation provided, the strings for CA organization and Subject organization are switched (bug is the last line): <sorry for the gnarly formatting> $ openssl ca -name aug5 -in jbloggscert-req.pem -out joebloggs-cert.pem -verbose -policy organization Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: V 000805002110Z 01 unknown /C=US/ST=Washington/O=WRQ, Inc./OU=WRQsec/CN=Joe [EMAIL PROTECTED] V 000809031813Z 02 unknown /C=US/ST=Washington/L=Seattle/O=Int'l Widget/OU=Tool and Die/CN=Joeseph [EMAIL PROTECTED] 2 entries loaded from the database generating indexs message digest is md5 policy is organization next serial number is 03 Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Washington, L=Seattle, O=Int'l Widget, OU=Tool and Die, CN=Joeseph [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:ba:cf:0c:7f:07:f3:0d:87:18:5f:b0:f6:2c:16: 0f:f7:aa:f8:fa:79:6a:38:f3:0e:ac:81:3f:70:5f: 65:48:b6:78:01:4f:c9:57:b4:1b:ea:ff:d8:c5:42: c4:b1:31:f3:d8:e1:fc:6f:32:b0:5e:a8:c2:e5:e8: 1c:07:d5:a8:2f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption a7:aa:e0:23:9e:1d:00:03:ea:6e:a9:78:8a:61:90:89:5d:f0: 50:56:df:29:72:13:f3:f4:39:b4:dc:e8:54:92:40:1e:0a:51: c8:fc:44:a4:36:14:fb:ee:b6:e8:3a:2f:90:a1:c3:96:bf:48: 41:46:2f:95:76:85:ab:cc:af:64 Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Washington' localityName :PRINTABLE:'Seattle' organizationName :PRINTABLE:'Int'l Widget' organizationalUnitName:PRINTABLE:'Tool and Die' commonName :PRINTABLE:'Joeseph Bloggs' emailAddress :IA5STRING:'[EMAIL PROTECTED]' The organizationName field needed to be the same in the CA certificate (Int'l Widget) and the request (WRQ, Inc.) $ ^^^^^<--------REVERSED---------->^^^^^ Pretty minor, but probably easy to fix. -Mike Slass WRQ, Inc. Seattle, WA, USA ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]