Hi, i'm using the fine how-to from http://www.eclectica.ca/howto/ssl-cert-howto.php now for years without problems. It's on Debian Etch, openssl version is OpenSSL 0.9.8c 05 Sep 2006:
---- saruman:~# dpkg -l |grep openssl ii openssl 0.9.8c-4etch4 Secure Socket Layer (SSL) binary and related ---- Now we have a Server 2008+E2k7, which shall replace the working 2003 one. However, I cannot sign the CSR generated from 2008 server, it says: ---- saruman:~/ssl/CA# openssl ca -out mittelerde.intern.jk-works.de/cert.pem -config ./openssl.cnf -infiles mittelerde.intern.jk-works.de/certrequest.txt Using configuration from ./openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'mellon.jk-works.de' organizationalUnitName:ASN.1 12:'Mail Services' organizationName :ASN.1 12:'JK works GbR.' stateOrProvinceName :ASN.1 12:'Bremen' countryName :PRINTABLE:'DE' The stateOrProvinceName field needed to be the same in the CA certificate (Bremen) and the request (Bremen) ----- This is the CSR generated from New-ExchangeCertificate cmdlet: -----BEGIN NEW CERTIFICATE REQUEST----- MIIETTCCAzUCAQAwazEbMBkGA1UEAwwSbWVsbG9uLmprLXdvcmtzLmRlMRYwFAYD VQQLDA1NYWlsIFNlcnZpY2VzMRYwFAYDVQQKDA1KSyB3b3JrcyBHYlIuMQ8wDQYD VQQIDAZCcmVtZW4xCzAJBgNVBAYTAkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAxD77mS4q3g5j+hLzm69Tvz6x52IN8eT+Vfmz9oKmSGYTlnO8Smz0 J/gJ68xXOMg7AiXXFV+0jhjRPOoKsxbnk2ryvmxHTKUQ3QfnidxYlWDrCUCCdL+G HqPQfBwCGms2pk05+mOTOd/RV7HHallVqs6VFpAcrlPih7aLTG8ScFVam/8X2pEy tBsXXTBaWM9mlrb91UgaPho/P0RIv1TARCH1klY5KrdHD7PYXswDLCQiwvYrIpN6 WtaaNH41rX6Igy+TyVQbZ2kJY4TbDSBBaDVF8Y5lB37PZpDzPqA83lnrzIKKmF4F 6a+ZX3JfogCNDCMq+hN9yOkZY5c2m+CZIQIDAQABoIIBmzAaBgorBgEEAYI3DQID MQwWCjYuMC42MDAxLjIwVAYJKwYBBAGCNxUUMUcwRQIBBQwdTWl0dGVsZXJkZS5p bnRlcm4uamstd29ya3MuZGUMEUpLV09SS1NcZXhjaGFkbWluDA5wb3dlcnNoZWxs LmV4ZTByBgorBgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAA UgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgA aQBjACAAUAByAG8AdgBpAGQAZQByAwEAMIGyBgkqhkiG9w0BCQ4xgaQwgaEwDgYD VR0PAQH/BAQDAgWgMGIGA1UdEQRbMFmCHW1pdHRlbGVyZGUuaW50ZXJuLmprLXdv cmtzLmRlghJtZWxsb24uamstd29ya3MuZGWCGGF1dG9kaXNjb3Zlci5qay13b3Jr cy5kZYIKbWl0dGVsZXJkZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ53Tt9Vieq XN6UPMDMes2E9RF+FjANBgkqhkiG9w0BAQUFAAOCAQEAdNrzTzzM4O77iUEo5vjj ZFA6psVzoYP2ICDzwPwTiIv4+IlQglC/9YactpK/q+I6jUTIY5imspKcXJFXIeWB RYkniewe0FKgLPr2FtK1jz1mkZ4Fhs8SJevwzxVI8hLUrjlbsVayoR9fD5NzTLZr U8NpoNMTQdVafWwPGrWuaZGDrKyULdX31wQ30Eub78QNd/zxNO2Gua/IJMyrjoaA YKNWG1oxSzovCAISUsy1nuzBytVOHpNdCrh/f61kTS+961j7KJPUsPox5CP3waLK +Z9ZTVl2g2T0eh9fd7inBgcXrMbOeENytpBawznngpRsAVLAuL500yEmymPi12XJ tQ== -----END NEW CERTIFICATE REQUEST----- A CSR generated on Server 2003+E2k7 can be signed without problems. Can you give me a hint on what I have to do to sign the new CSR? Thanks in advance, Jens Schwepe ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
