strange error when trying to sign CSR

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

strange error when trying to sign CSR

Gerd Schering
Hi,

when trying to sign a CSR I get the following error:

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'xxx'
organizationName      :ASN.1 12:'xxx'
organizationalUnitName:ASN.1 12:'XXX'
countryName           :ASN.1 12:'DE'
stateOrProvinceName   :ASN.1 12:'Berlin'
localityName          :ASN.1 12:'Berlin'
The countryName field needed to be the same in the
CA certificate (DE) and the request (DE)

Well, the countryName field is dfinitely the same.
I'm using OpenSSL 0.9.8-dev XX xxx XXXX.
Is this a version issue?

Gerd

--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum      --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin      --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
------------------------------------------------------

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Arsen Hayrapetyan-2
Gerd Schering wrote:

> Hi,
>
> when trying to sign a CSR I get the following error:
>
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> commonName            :ASN.1 12:'xxx'
> organizationName      :ASN.1 12:'xxx'
> organizationalUnitName:ASN.1 12:'XXX'
> countryName           :ASN.1 12:'DE'
> stateOrProvinceName   :ASN.1 12:'Berlin'
> localityName          :ASN.1 12:'Berlin'
> The countryName field needed to be the same in the
> CA certificate (DE) and the request (DE)
>
> Well, the countryName field is dfinitely the same.
> I'm using OpenSSL 0.9.8-dev XX xxx XXXX.
> Is this a version issue?
>
> Gerd
>
What is in your config file [policy_match] section?

--
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1  BF6F 95C4 2E77 BBE3 DFD8


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Gerd Schering
Arsen Hayrapetyan wrote:
>
> What is in your config file [policy_match] section?
>
[ policy_match ]
countryName             = supplied
stateOrProvinceName     = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


B.t.w. I tried to sign the CSR with a test-ca which uses openssl-0.9.7e.
It worked just fine, so it seems to be an version issue.
Unfortunately openssl-0.9.7e does not support muttiple certs for the
same DN, which is a feature I need.

Gerd
--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
------------------------------------------------------

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Dr. Stephen Henson
In reply to this post by Gerd Schering
On Wed, Aug 17, 2005, Gerd Schering wrote:

> Hi,
>
> when trying to sign a CSR I get the following error:
>
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> commonName            :ASN.1 12:'xxx'
> organizationName      :ASN.1 12:'xxx'
> organizationalUnitName:ASN.1 12:'XXX'
> countryName           :ASN.1 12:'DE'
> stateOrProvinceName   :ASN.1 12:'Berlin'
> localityName          :ASN.1 12:'Berlin'
> The countryName field needed to be the same in the
> CA certificate (DE) and the request (DE)
>
> Well, the countryName field is dfinitely the same.
> I'm using OpenSSL 0.9.8-dev XX xxx XXXX.
> Is this a version issue?
>

Are you using an old openssl.cnf format? The ASN.1 12 stuff is indicating a
UTF8String. If you use the new format (the name_opt, cert_opt options in
CA_default both set to ca_default) you should get this displayed correctly.

However back to the original query. The countryName in the two certificates is
a different character type, in one it is PrintableString the other UTF8String.
The 'ca' utility currently regards those as different.

However in countryName only PrintableString is allowed so if you have a
certificate request with UTF8String in there it is broken anyway. So that's
the main problem: an invalid certificate request.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Gerd Schering
Dr. Stephen Henson wrote:

>
> However in countryName only PrintableString is allowed so if you have a
> certificate request with UTF8String in there it is broken anyway. So that's
> the main problem: an invalid certificate request.

Thanks a lot for your help.
B.t.w. is there an rfc or something else where the allowed string types
are defined?

Gerd
--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum      --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin      --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
------------------------------------------------------

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Gerd Schering
Gerd Schering wrote:

> B.t.w. is there an rfc or something else where the allowed string types
> are defined?

Sorry for this question, of course we have rfc2459.

Gerd


--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum      --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin      --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
------------------------------------------------------

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Gerd Schering
In reply to this post by Dr. Stephen Henson
Dr. Stephen Henson wrote:

>
> However back to the original query. The countryName in the two certificates is
> a different character type, in one it is PrintableString the other UTF8String.
> The 'ca' utility currently regards those as different.
>
> However in countryName only PrintableString is allowed so if you have a
> certificate request with UTF8String in there it is broken anyway. So that's
> the main problem: an invalid certificate request.
>

Thanks for your help.
But how could it work on our test-ca using openssl-0.9.7e?
Im shure the countryName of the CA cert is a PrintableString.

Gerd

--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
-- TU Berlin, Zentraleinrichtung Rechenzentrum      --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin      --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
------------------------------------------------------

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Richard Levitte - VMS Whacker
In reply to this post by Gerd Schering
Gerd Schering writes:

> Sorry for this question, of course we have rfc2459.

*ahem* 3280

Cheers,
Richard

 -----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                       http://richard.levitte.org/ 

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
                                               -- C.S. Lewis

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: strange error when trying to sign CSR

Gerd Schering
Richard Levitte wrote:
> Gerd Schering writes:
>
>> Sorry for this question, of course we have rfc2459.
>
>
> *ahem* 3280
> Cheers,
> Richard

Yes, yes you're so right!

--
------------------------------------------------------
-- Gerd Schering, Email: [hidden email]  --
------------------------------------------------------

smime.p7s (4K) Download Attachment