Openssl config file string_mask

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Openssl config file string_mask

Richard Olsen
On our RHEL7 system I created a local CA. When i try to sign the linux created csr there is no problem. But trying to sign from Palo Alto or F5 csr's it errors with

The stateOrProvinceName field needed to be the same
in the CA certificate CA certificate (My Entry) and the request (My Entry)

So researching i found the references to the openssl asn1parse to see the encoding of the csr. The PA and F5 csr's use PRINTABLESTRING instead of utf8 like the openssl req command from the command line.

I have been trying to use the string_mask option in the openssl.cnf. I've tried setting  it to multiple options (one at a time) as listed in the default config. It still fails everytime. I've verified that i am using the correct config file that i've modified. (Using configuration from when i run the command)

string_mask = nombstr
string_mask = default
string_mask = pkix


I know that i can change policy_match from match to either optional or supplied but i don't want to have to do that. I don't get any error when i put random entry in the string_mask variable but i don't know if that is a way to test the config file anyway.

Rick.