When I try to sign a certificate, I get this message and yet the certificate and the key match Someone can help me? Tank You! Richard Simard root@PKI:/# /usr/bin/openssl ca -selfsign -config /etc/root-ca.conf -in /ca/network-ca/csr/network-ca.csr -out /ca/network-ca/crt/network-ca.crt -extensions intermediate_ca_ext -startdate 20210101000000Z -enddate 20311231235959Z Using configuration from /etc/root-ca.conf Enter pass phrase for ./ca/root-ca/key/root-ca.key: ************ Check that the request matches the signature Certificate request and CA private key do not match root@PKI:/# root@PKI:/# /usr/bin/openssl x509 -in /ca/root-ca/crt/root-ca.crt -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root@PKI:/# /usr/bin/openssl rsa -in /ca/root-ca/key/root-ca.key -noout -modulus | openssl md5 Enter pass phrase for /ca/root-ca/key/root-ca.key: ************ (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root@PKI:/# /usr/bin/openssl req -in /ca/root-ca/csr/root-ca.csr -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root@PKI:/# root-ca.conf : [ default ] ca = root-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ root_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = intermediate_ca_ext default_crl_days = 30 crl_extensions = crl_ext [ intermediate_ca_ext ] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info certificatePolicies = @policy_intermediate_ca_ext MsCaV = DER:02:01:02 network-ca.conf: [ default ] ca = network-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ req ] default_bits = 8192 encrypt_key = yes default_md = sha512 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_reqext string_mask = MASK:0x2002 [ network_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = signing_ca_ext default_crl_days = 1 crl_extensions = crl_ext
