OpenSSL: Request Certificate Distinguished Name Mismatch Solved

I’m not sure if its a bug or a feature but something I ran into when signing a certificate request with our self signed certificate authority. The new system is running CentOS 6 and when I tried to sign the request, it would fail saying the state name didn’t match. It prints them both out and as far as I can tell, they are the same. But something that bothered me gave me a clue. It would print out Distinguished Name like so:

stateOrProvinceName :ASN.1 12:’Texas’

That ASN part made me think and this bug post gave me an idea. As I didnt want to go playing with the policy setting, I read through the openssl.cnf file for more details and I came upon the string_match setting. My CA had been created using the nombstr setting while in CentOS 6, it was set to utf8only. Editing openssl.cnf on the new system and creating a new request fixed the problem and now the DN looks like so:

stateOrProvinceName   :PRINTABLE:’Texas’

So just be aware of this setting


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s