Re: [openssl-users] sign sub CA issue

Fri, 11 Dec 2015 07:15:41 -0800 

1. Check if the certificate for your root CA specifies any
  "path restrictions" or similar that says that it cannot
  validly sign certificates outside some state or province.
   Having such restrictions in a root CA is GOOD whenever
  possible, because it limits the damage that can be done
  if the CA security is compromised, and because it limits
  the reasons other people might not want to install your
  root CA into their browsers/mail programs/computers.

2. Check if the settings in your openssl.cnf file specify
  that the "StateOrProvince" field needs to have a
  specific value when running the CA command.

If #1 is the issue, you cannot change it without
regenerating the self-signed root CA cert (using the same
key etc. for an easier transition) and then install the
new version of this cert in all the computers and programs
where the old version was installed.

If #2 is the issue, all you need to do is to find and
change that line in openssl.cnf .  That line almost
certainly says "StateOrProvince" on it, so it should
be easy to find.

On 11/12/2015 15:18, Mohammad Jebran wrote:

Please can I have some advise on this query.

Regards,
Jebran.
On Tue, Dec 8, 2015 at 11:18 AM, Mohammad Jebran <imjeb...@gmail.com <mailto:imjeb...@gmail.com>> wrote: 

    I have to sign a sub-CA through my current root CA using
    openSSLeverything I have configured as per instructions but still
    getting an error that "stateorProvanceName field needed to be the
    same" As mentioned below.

    /root@machine:~/ImportantCACerts/intermediate# openssl ca
    -configopenssl.cnf -extensions v3_intermediate_ca -days 3650
    -notext -md sha256 -in csr/subca2.csr -out certs/subca2.crt/

    /Using configuration from openssl.cnf/

    /Check that the request matches the signature/

    /Signature ok/

    /The stateOrProvinceName field needed to be the same in the/

    /CA certificate (HK) and the request (HK)/




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to