OpenSSL CA Signing Error field needed to be the same in the CA certificate

Thursday, May 30, 2013

When signing a CSR with my own CA the following error occurs even though both entries in parentheses are the same:

The stateOrProvinceName field needed to be the same in the CA certificate (Texas) and the request (Texas)

I encountered this error when creating a CSR on OS X Mountain Lion and then sending the CSR to a Fedora 18 box to be signed by my own CA. The problem is due to string_mask on OS X, found in /System/Library/OpenSSL/openssl.cnf, being set to nombstr whereas on Fedora, and probably other Linux distributions, it is set to utf8only.

To fix this simply change the string_mask parameter to utf8only in /System/Library/OpenSSL/openssl.cnf on OS X or create the CSR on a Linux box.

References

OpenSSL signing a certificate with my CA



comments powered by Disqus