Hi, I am trying to generate some client certificates for openvpn and I found openssl breaks with a cryptic message "TXT_DB error number 2" if I enter a _comma_ into the Organization Name string.
First of all I do not understand why I get an error from openssl so late in the process (while signing of a broken request). Why was that broken string accepted during client.csr creation? Please compare the two approaches below. Thanks, Martin BROKEN easy-rsa # ./build-req client Generating a 2048 bit RSA private key ....................................................+++ .........................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CZ]: State or Province Name (full name) [CZ]: Locality Name (eg, city) [Prague]: Organization Name (eg, company) [Organization, Some dept]: ---------------------------------------------^ Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client]: Name []: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: easy-rsa # ./sign-req client Using configuration from /etc/openvpn/iresite/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CZ' stateOrProvinceName :PRINTABLE:'CZ' localityName :PRINTABLE:'Prague' organizationName :PRINTABLE:'Organization, Some dept' ----------------------------------------------^ commonName :PRINTABLE:'client' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until May 14 11:04:09 2020 GMT (3650 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 easy-rsa # GOOD easy-rsa # easy-rsa # ./build-req client Generating a 2048 bit RSA private key ....+++ ...............+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CZ]: State or Province Name (full name) [CZ]: Locality Name (eg, city) [Prague]: Organization Name (eg, company) [Organization, Some dept]:Organization ----------------------------------------------------------^^^^^^^^^^^^ Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client]: Name []: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: easy-rsa # ./sign-req client Using configuration from /etc/openvpn/iresite/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CZ' stateOrProvinceName :PRINTABLE:'CZ' localityName :PRINTABLE:'Prague' organizationName :PRINTABLE:'Organization' ----------------------------------^^^^^^^^^^^^ commonName :PRINTABLE:'client' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until May 14 11:04:55 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated easy-rsa # ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
