1

For testing, I'm trying to do these 3 steps:

  • generate a CA certificate for "My Own CA Company"
  • generate a certificate request for another entity "My Customer"
  • sign the request using the CA certificate

I'm failing at the last step (see below). I think my problem is that I have a wrong understanding of the steps I'm doing, but I can't figure out what it is.

# generate self signed CA certificate
openssl req -x509 -days 2557 -newkey rsa:1024 -out ca-cert.pem -keyout ca-sec-key.pem

# for another entity, generate another private key and a signing request
openssl req -newkey rsa:1024 -out sub-request.pem -keyout sub-sec-key.pem

# the following fails:
# sign the request using the CA certificate and key
openssl ca -cert ca-cert.pem -keyfile ca-sec-key.pem -in sub-request.pem -out sub-cert.pem

Error:

The organizationName field needed to be the same in the
CA certificate (My Own CA Company) and the request (My Customer)

I do not understand why openssl is complaining about these being different at all. I think they should be different.

Daniel S.
  • 6,458
  • 4
  • 35
  • 78
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww May 17 '15 at 21:08
  • Possible duplicate of [How do you sign Certificate Signing Request with your Certification Authority?](http://stackoverflow.com/q/21297139) – jww May 17 '15 at 21:10
  • @jww it's not exactly a duplicate, because the other question asks which of two ways which work for the other OP is preferred while I did not succeed on any of the two ways. Instead, I have a problem with one of these ways and an error message - thus another question - which the other question does not cover. – Daniel S. May 21 '15 at 14:23
  • @jww This question is about "tools commonly used by programmers". Thus it is on topic. Let me know who else would use openssl than a programmer. Certainly not an end user who wants to sign his email. – Daniel S. May 21 '15 at 14:25
  • My apologies. On reading, it sounded like a Dev Ops question, where you needed help with using the OpenSSL commands. For help with using commands, like `openssl` and `ls`, Super User is usually a better fit. – jww May 21 '15 at 20:27

1 Answers1

6

Most probably your OpenSSL config is based on the default config file (openssl.cnf) which restricts the value of the organizationName DN component. In the CA section find the policy=<section_name> entry and change organizationName=match to organizationName=supplied as in:

[ policy_match ] 
organizationName    = supplied
Hans Z.
  • 50,496
  • 12
  • 102
  • 115