How to sign a client's CSR with openssl?

rpkrpk picture rpkrpk · May 21, 2013 · Viewed 14k times · Source

I am missing something basic and obvious about signing a client's CSR with openssl command.

I have (simulated) two organizations, one is the organization of the certificate authority (exists in California) and the other is the client organization who is in WA state.

I created the certificate authority on a Linux system with openssl command following these steps. http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

I have two files now 1. cakey.pem containing CA's private key. This private is also associated with a passphrase. 2. cacert.pem containing CA's self-signed certificate

Next, I want to sign all CSRs from the clients. A client from Washington state sends me a file client-csr.pem. I am reading this man page about signing CSRs and the examples at the end. http://www.openssl.org/docs/apps/ca.html

The command I am trying and the error message is as follows: I run these commands on the CA"s system, the same system where I created the cakey.pem (CA's private key) and cacert.pem (CA's self-signed certificate)

$ openssl ca -in demoCA/csrs/client-csr.pem -out client-cert.pem
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
The stateOrProvinceName field needed to be the same in the 
CA certificate (California) and the request (WA)

The question is why must the state name be the same for both CA-certificate and the client-CSR.

Client is NOT in "California" and so when they create CSR, they put their own state name (WA). As a certificate authority, I have verified that the client is indeed in WA and the CSR file indeed came from them. I want to sign this CSR and return a certificate back to the client.

Answer

rpkrpk picture rpkrpk · May 21, 2013

Solved. Thanks dbasic.

On the CA's system where the signing activity takes place, make a copy of /etc/ssl/openssl.conf and modify it and create a new config file. Use that modified-copy when signing.

cp /etc/ssl/openssl.cnf  ./openssl-for-signing-csrs.cnf

And modify the 'countryName', stateOrProvinceName or 'organizationName' to 'supplied'. This indicates that the certificate should use the values from the CSRs and do not attempt to match with the certificate (one would attempt to 'match' only for self-signing, the default openssl.cnf seems to have been made for self-signing and not for a CA)

80,82c80,82
< countryName           = match
< stateOrProvinceName   = match
< organizationName      = match
---
> countryName           = supplied
> stateOrProvinceName   = supplied
> organizationName      = supplied