f.haeder.net

New SSL CSR doesn't want to validate with local CA file

I have created a new certificate for another sub domain. But now it got stuck with a typcial error message:
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :ASN.1 12:'Northrhine-Westphalia'
organizationName :ASN.1 12:'Roland Haeder'
organizationalUnitName:ASN.1 12:'private'
commonName :ASN.1 12:'some.bla.domain'
emailAddress :IA5STRING:'webmaster@shipsimu.de'
The stateOrProvinceName field needed to be the same in the
CA certificate (Northrhine-Westphalia) and the request (Northrhine-Westphalia)

Well, it looks like the same, right? But it is not, use openssl asn1parse </etc/ssl/your/certs/ca.pem to examine your CA file. Then do the same with the CSR file. And you might see the difference: UTF8STRING and PRINTABLESTRING was here the case.

Well, here you have it. Now go to your openssl-ca.cnf file and fix string_mask to utf8only (or otherwise your certificate's configuration file). I'm currently testing UTF-8 in SSL certificates with my server.
#bug-fix certficate csr openssl ssl
Later posts Earlier posts