Hi Gabriel, openssl performs as it is described.
You probably wanted the behaviour activated by the option "supplied" which requires the DN component to be present, but doesn't tie it to the corresponding entry in the CA DN. Regards Willy Am 19.09.2011 17:02, schrieb Gabriel Marques: > Hello folks, > > I'm developing a tool for signing digital TV apps, and for testing I'm > creating a lot of different test scenarios. > > Well, using OpenSSL 1.0.0e to create a new certificate, signed by a > snakeoil one I got the following error: > --> The stateOrProvinceName field needed to be the same in the > --> CA certificate (SP) and the request (SP) > > As it was just a test, I've changed openssl.conf to: > ... > [ policy_match ] > countryName = match > stateOrProvinceName = optional > organizationName = match > ... > > But then I get: > --> The organizationName field needed to be the same in the > --> CA certificate (ACME SA) and the request (ACME SA) > > I can just put everithing as optional, as it's just a test scenario and > this issue is not in the scope of the test, but it made me wonder what > was going on, as the Ubuntu distro version of OpenSSL (0.98 k) was not > complaining, with the same conf. file. > > Playing some more I came with these steps to reproduce: > 1) Using OpenSSL 0.9.8k > --> openssl ecparam -genkey -name prime256v1 -out ca.key > --> openssl req -new -key ca.key -out ca.csr -subj '/C=BR/ST=SP/L=Sao > Paulo/O=ACME SA/OU=bank/CN=ACME root CA' > --> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.pem > 2) Now using OpenSSL 1.0.0e > --> openssl ecparam -genkey -name prime256v1 -out ecKey.pem > --> openssl req -new -key ecKey.pem -out client.csr -batch -subj > '/C=BR/ST=SP/L=Sao Paulo/O=ACME SA/OU=bank/CN=ecdsaTest' > --> openssl ca -in client.csr -out client.pem -cert ca.pem -keyfile > ca.key -startdate 110728133018Z -enddate 120728183030Z -batch -noemailDN > -- The organizationName field needed to be the same in the CA > certificate (ACME SA) and the request (ACME SA) > > Shouldn't this work or am I missing something? > > Regards, > Gabriel Marques. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- ----------------------------------------------------------- Willy Weisz University of Vienna Computational Science Center Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 23724 Fax: (+43 1) 4277 - 9237 Mobile: +43 699 10109546 e-mail:willy.we...@univie.ac.at ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
