sign sub CA issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

1. Check if the certificate for your root CA specifies any
   "path restrictions" or similar that says that it cannot
   validly sign certificates outside some state or province.
    Having such restrictions in a root CA is GOOD whenever
   possible, because it limits the damage that can be done
   if the CA security is compromised, and because it limits
   the reasons other people might not want to install your
   root CA into their browsers/mail programs/computers.

2. Check if the settings in your openssl.cnf file specify
   that the "StateOrProvince" field needs to have a
   specific value when running the CA command.

If #1 is the issue, you cannot change it without
regenerating the self-signed root CA cert (using the same
key etc. for an easier transition) and then install the
new version of this cert in all the computers and programs
where the old version was installed.

If #2 is the issue, all you need to do is to find and
change that line in openssl.cnf .  That line almost
certainly says "StateOrProvince" on it, so it should
be easy to find.

On 11/12/2015 15:18, Mohammad Jebran wrote:
> Please can I have some advise on this query.
>
> Regards,
> Jebran.
>
> On Tue, Dec 8, 2015 at 11:18 AM, Mohammad Jebran <imjebran at gmail.com 
> <mailto:imjebran at gmail.com>> wrote:
>
>     I have to sign a sub-CA through my current root CA using
>     openSSLeverything I have configured as per instructions but still
>     getting an error that "stateorProvanceName field needed to be the
>     same" As mentioned below.
>
>     /root at machine:~/ImportantCACerts/intermediate# openssl ca
>     -configopenssl.cnf -extensions v3_intermediate_ca -days 3650
>     -notext -md sha256 -in csr/subca2.csr -out certs/subca2.crt/
>
>     /Using configuration from openssl.cnf/
>
>     /Check that the request matches the signature/
>
>     /Signature ok/
>
>     /The stateOrProvinceName field needed to be the same in the/
>
>     /CA certificate (HK) and the request (HK)/
>
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 S?borg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151211/46dd51ee/attachment.html>
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux