Problem:
server:~/myCA # openssl ca -out certs/server.cert.pem -days 1461 -keyfile private/myCA.key.pem -extensions v3_ca_has_san -config ./openssl.cnf -infiles requests/server.req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for private/myCA.key.pem:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (US)
server:~/myCA #
Uh-oh? Why can't I sign a certificate with my CA setup in Australia, for a server in the USA?
Simple, the CA's openssl.cnf is required to "match" the country name (and other parameters).
(i.e. requested cert's much match parameters in the signing CA)
Alter these in the CA's openssl.cnf to "supplied" instead:
[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment