<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><tt>1. Check if the certificate for
your root CA specifies any <br>
"path restrictions" or similar that says that it cannot <br>
validly sign certificates outside some state or province. <br>
Having such restrictions in a root CA is GOOD whenever <br>
possible, because it limits the damage that can be done <br>
if the CA security is compromised, and because it limits <br>
the reasons other people might not want to install your <br>
root CA into their browsers/mail programs/computers.<br>
</tt><tt><br>
2. Check if the settings in your openssl.cnf file specify <br>
that the "StateOrProvince" field needs to have a <br>
specific value when running the CA command.<br>
<br>
If #1 is the issue, you cannot change it without <br>
regenerating the self-signed root CA cert (using the same <br>
key etc. for an easier transition) and then install the <br>
new version of this cert in all the computers and programs <br>
where the old version was installed.<br>
<br>
If #2 is the issue, all you need to do is to find and <br>
change that line in openssl.cnf . That line almost <br>
certainly says "StateOrProvince" on it, so it should <br>
be easy to find.<br>
</tt><br>
On 11/12/2015 15:18, Mohammad Jebran wrote:<br>
</div>
<blockquote class=" cite"
id="mid_CADapTjnO_5sOHoE4RqbeH4RaqqFiDW9VQtSw0djtzRPmvnr3ow_mail_gmail_com"
cite="mid:CADapTjnO=5sOHoE4RqbeH4RaqqFiDW9VQtSw0djtzRPmvnr3ow@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small">Please
can I have some advise on this query.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;font-size:small">Regards,<br>
Jebran.</div>
<div class="gmail_extra">
<br>
<div class="gmail_quote">On Tue, Dec 8, 2015 at 11:18 AM,
Mohammad Jebran <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:imjebran@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:imjebran@gmail.com">imjebran@gmail.com</a></a>></span> wrote:<br>
<blockquote id="Cite_8625426" class="gmail_quote cite"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div
style="font-family:verdana,sans-serif;font-size:small">
<div
style="font-family:arial,sans-serif;font-size:12.8px">
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><span
style="font-family:Verdana,sans-serif">I have to
sign a sub-CA through my current root CA using <span>openSSL</span>everything
I have configured as per instructions but still
getting an error that "stateorProvanceName field
needed to be the same" As mentioned below.</span></p>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8px">
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><span
style="font-family:Verdana,sans-serif"> </span></p>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8px">
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><span
style="font-family:Verdana,sans-serif"> </span></p>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8px">
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">root@machine:~/ImportantCACerts/intermediate# <span>openssl</span> ca
-config<span>openssl</span>.cnf -extensions
v3_intermediate_ca -days 3650 -notext -md
sha256 -in csr/subca2.csr -out
certs/subca2.crt</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">Using
configuration from <span>openssl</span>.cnf</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">Check
that the request matches the signature</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">Signature
ok</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">The
stateOrProvinceName field needed to be the
same in the</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin:0in 0in
0.0001pt;font-size:12pt;font-family:'Times New
Roman',serif"><i><span
style="font-family:Verdana,sans-serif">CA
certificate (HK) and the request (HK)</span></i><span
style="font-family:Verdana,sans-serif"></span></p>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="https://www.wisemo.com">https://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>