[openssl-users] sign sub CA issue

Jakob Bohm jb-openssl at wisemo.com
Fri Dec 11 15:14:54 UTC 2015

1. Check if the certificate for your root CA specifies any
   "path restrictions" or similar that says that it cannot
   validly sign certificates outside some state or province.
    Having such restrictions in a root CA is GOOD whenever
   possible, because it limits the damage that can be done
   if the CA security is compromised, and because it limits
   the reasons other people might not want to install your
   root CA into their browsers/mail programs/computers.

2. Check if the settings in your openssl.cnf file specify
   that the "StateOrProvince" field needs to have a
   specific value when running the CA command.

If #1 is the issue, you cannot change it without
regenerating the self-signed root CA cert (using the same
key etc. for an easier transition) and then install the
new version of this cert in all the computers and programs
where the old version was installed.

If #2 is the issue, all you need to do is to find and
change that line in openssl.cnf .  That line almost
certainly says "StateOrProvince" on it, so it should
be easy to find.

On 11/12/2015 15:18, Mohammad Jebran wrote:
> Please can I have some advise on this query.
> Regards,
> Jebran.
> On Tue, Dec 8, 2015 at 11:18 AM, Mohammad Jebran <imjebran at gmail.com 
> <mailto:imjebran at gmail.com>> wrote:
>     I have to sign a sub-CA through my current root CA using
>     openSSLeverything I have configured as per instructions but still
>     getting an error that "stateorProvanceName field needed to be the
>     same" As mentioned below.
>     /root at machine:~/ImportantCACerts/intermediate# openssl ca
>     -configopenssl.cnf -extensions v3_intermediate_ca -days 3650
>     -notext -md sha256 -in csr/subca2.csr -out certs/subca2.crt/
>     /Using configuration from openssl.cnf/
>     /Check that the request matches the signature/
>     /Signature ok/
>     /The stateOrProvinceName field needed to be the same in the/
>     /CA certificate (HK) and the request (HK)/


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151211/46dd51ee/attachment.html>

More information about the openssl-users mailing list