Openssl config file string_mask

Richard Olsen rolsen at
Thu Oct 10 14:58:03 UTC 2019

On our RHEL7 system I created a local CA. When i try to sign the linux
created csr there is no problem. But trying to sign from Palo Alto or F5
csr's it errors with

The stateOrProvinceName field needed to be the same
> in the CA certificate CA certificate (My Entry) and the request (My Entry)

So researching i found the references to the openssl asn1parse to see the
encoding of the csr. The PA and F5 csr's use PRINTABLESTRING instead of
utf8 like the openssl req command from the command line.

I have been trying to use the string_mask option in the openssl.cnf. I've
tried setting  it to multiple options (one at a time) as listed in the
default config. It still fails everytime. I've verified that i am using the
correct config file that i've modified. (Using configuration from when i
run the command)

string_mask = nombstr
string_mask = default
string_mask = pkix

I know that i can change policy_match from match to either optional or
supplied but i don't want to have to do that. I don't get any error when i
put random entry in the string_mask variable but i don't know if that is a
way to test the config file anyway.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list