Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
On Mon, Jan 24, 2011 at 10:38 AM, Jeff B wrote: > You are right. I changed: > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > to > > [ policy_match ] > countryName = optional > stateOrProvinceName = optional > organizationName = supplied > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > > Aside from the Country and State missing It also complained that the > organizationName didn't match the org name of my CA so I had to change > the 3rd line from match to supplied. > > > > On Mon, Jan 24, 2011 at 10:26 AM, Rob Crittenden wrote: >> Jeff B wrote: >>> >>> I'm not sure if this is a user error or a bug. I didn't see a way to >>> tell OpenSSL to not require that Country be in the CSR. >>> >>> Check that the request matches the signature >>> Signature ok >>> The Subject's Distinguished Name is as follows >>> organizationName :PRINTABLE:'MYREALM.COM' >>> commonName :PRINTABLE:'Certificate Authority' >>> The mandatory countryName field was missing >>> >>> I didn't see anything in Trac regarding this. >>> >> >> I don't know a ton about OpenSSL but I think it is because the default >> configuration file, /etc/pki/tls/openssl.cnf, requires country. You should >> be able to provide your own config file to the openssl commands. >> >> rob >> > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
Jeff B wrote: I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. I don't know a ton about OpenSSL but I think it is because the default configuration file, /etc/pki/tls/openssl.cnf, requires country. You should be able to provide your own config file to the openssl commands. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] OpenSSL CA complains that CSR from --external-ca missing mandatory Country field.
I'm not sure if this is a user error or a bug. I didn't see a way to tell OpenSSL to not require that Country be in the CSR. Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'MYREALM.COM' commonName:PRINTABLE:'Certificate Authority' The mandatory countryName field was missing I didn't see anything in Trac regarding this. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel