OpenSSL CA Signing Error field needed to be the same in the CA certificate

• Updated May 13, 2017

When signing a Certificate Signing Request (CSR) with my own Certificate Authority (CA), the following error occurs even though both strings in parentheses are visually the same:

The stateOrProvinceName field needed to be the same in the CA certificate (Texas) and the request (Texas)

I encountered this error when creating a CSR on OS X Mountain Lion and then sending the CSR to a Fedora 18 box to be signed by my own CA.

The error occurs because string_mask on OS X (found in /System/Library/OpenSSL/openssl.cnf) is set to nombstr whereas on Fedora, and probably other Linux distributions, it is set to utf8only.

To fix this, change the string_mask parameter to utf8only in /System/Library/OpenSSL/openssl.cnf on OS X, or create the CSR on a Linux box instead.


If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: About to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Looking to start investing some of your saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of $100 or more you will receive free stock(s). The promotions are always changing, so be sure to click the link to see the latest.

Thanks for reading and take care.