I notice that there are many posts regarding 7211021 in the archives. For whatever it is worth, here are my experiences over the last two days of working with OpenCA 0.9.1. and encountering and resolving this error.
For us, it was relatively simple. We were doing significant customization. For example, we wanted to not force a subject_alt_name since the ssh client passes will not pass the DER_ASN.1_DN during IKE if a subject_alt_name is present and we parse the DER_ASN.1_DN fields for access control. We also wanted to be able to specify several OU's and wanted to enter any of a number of different values in the Country Code. We tried seemingly endless permutations to get it all right. The last of those confronted us with 7211021. The basic_csr command was forcing all user elements to be at least three characters. As long as we kept the Country Code as a base rather than a basic_element, we had two character country codes and all worked well. When we finally got the rest of our customizations working, we tried changing the Country Code to a basic_element. That forced us to enter a three character Country Code and suddenly we hit the 7211021 errors. Thankfully, Michael Bell suggested changing minlen in basic_csr to 2 wherever it was set to 3. This allowed us to enter properly formed Country Codes and the 7211021 errors went away. Hopefully that information can help someone - John Sullivan -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 [EMAIL PROTECTED] --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
