Mobilefish.com - Posted comments subject openssl_quickguide_ca_sign

Posted by Harneet Singh at June 15, 2010 02:09:09 CEST

A pretty short but upto the point article. I ve been used to generating certificates on a Microsoft CA. Ran into an issue where I had to use openssl. The article provided exactly what was required. Kudos!! Adding a bookmark into the browser.

Posted by Dan R. at September 9, 2010 20:53:51 CEST

If you get this error message:

failed to update database
TXT_DB error number 2

that means you tried to sign a key that you already signed before.

If you really meant to do that, add unique_subject=no to the file demoCA\index.txt.attr, and OpenSSL will permit you to sign the key.

Posted by Dan R. at September 14, 2010 00:18:18 CEST

When signing the certificate request (step 8 above), you may get this error:

The stateOrProvinceName field needed to be the same in the
CA certificate (NY) and the request (NY)

The first thing to check is for extra whitespace, but clearly there isn't any in this case. To see the problem, we need to check the encoding.

openssl req -noout -subject -nameopt show_type,sep_multiline -in storereq.pem

subject=

     C=PRINTABLESTRING:US

     ST=PRINTABLESTRING:PA

     L=PRINTABLESTRING:Pittsburgh

     O=PRINTABLESTRING:Acme Widgets Inc.

     OU=PRINTABLESTRING:Quality Assurance

     CN=PRINTABLESTRING:example.com

openssl x509 -noout -subject -nameopt show_type,sep_multiline -in demoCA\cacert.pem



subject=

     C=PRINTABLESTRING:US

     ST=UTF8STRING:PA

     O=UTF8STRING:Acme Widgets Inc.

     OU=UTF8STRING:Quality Assurance

     CN=UTF8STRING:Bob

     emailAddress=IA5STRING:[email protected]

As you can see, Java's keytool program uses "printable" encoding, while OpenSSL uses UTF-8.

Currently the only solution I know is to specify -policy policy_anything on the command-line of the openssl ca command.

Posted by Joe at March 6, 2013 12:37:08 CET

If you encounter the error (or similar):

The stateOrProvinceName field needed to be the same in the

CA certificate (NY) and the request (NY)

Then see <a href="http://stackoverflow.com/questions/6976127/openssl-signing-a-certificate-with-my-ca">
this StackOverflow question
</a> on how to get around it.

The one I found to work was going to openssl/bin/openssl.cfg (on Windows OpenSSL, think Linux has a .cnf file) and changing the attributes to optional:

# For the CA policy

[policy_match]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

Posted comments (4)