OpenSSL CA Signing Error field needed to be the same in the CA certificate

• Updated May 13, 2017

When signing a Certificate Signing Request (CSR) with my own Certificate Authority (CA), the following error occurs even though both strings in parentheses are visually the same:

The stateOrProvinceName field needed to be the same in the CA certificate (Texas) and the request (Texas)

I encountered this error when creating a CSR on OS X Mountain Lion and then sending the CSR to a Fedora 18 box to be signed by my own CA.

The error occurs because string_mask on OS X (found in /System/Library/OpenSSL/openssl.cnf) is set to nombstr whereas on Fedora, and probably other Linux distributions, it is set to utf8only.

To fix this, change the string_mask parameter to utf8only in /System/Library/OpenSSL/openssl.cnf on OS X, or create the CSR on a Linux box instead.


If you found this post useful, you can help support this site and get something for yourself by signing up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: Perhaps you're about to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping. Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Are you looking to start investing some of your disposable saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of at least $100 you will receive 1 stock valued (subject to change based on normal market movement) between $8 and $1600.

Thanks for reading and take care.