Help request

Richard Simard richard.simard at groupesti.com
Fri Apr 16 16:27:23 UTC 2021


When I try to sign a certificate, I get this message and yet the certificate and the key match
Someone can help me?


Tank You!
Richard Simard



root at PKI:/# /usr/bin/openssl ca -selfsign -config /etc/root-ca.conf -in /ca/network-ca/csr/network-ca.csr -out /ca/network-ca/crt/network-ca.crt -extensions intermediate_ca_ext -startdate 20210101000000Z -enddate 20311231235959Z
Using configuration from /etc/root-ca.conf
Enter pass phrase for ./ca/root-ca/key/root-ca.key: ************
Check that the request matches the signature
Certificate request and CA private key do not match
root at PKI:/#

root at PKI:/# /usr/bin/openssl x509 -in /ca/root-ca/crt/root-ca.crt -noout -modulus | openssl md5
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/# /usr/bin/openssl rsa -in /ca/root-ca/key/root-ca.key -noout -modulus | openssl md5
Enter pass phrase for /ca/root-ca/key/root-ca.key: ************
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/# /usr/bin/openssl req -in /ca/root-ca/csr/root-ca.csr -noout -modulus | openssl md5
(stdin)= 53db1fd33d0df01c23fc588bab1697e3
root at PKI:/#

root-ca.conf :

[ default ]
ca								= root-ca
dir								= .
base_url						= http://pki.groupesti.com
crl_url							= http://crl.groupesti.com
ocsp_url						= http://ocsp.groupesti.com
cps_url							= http://cps.groupesti.com
aia_url							= $base_url/$ca.cer
crl_url							= $crl_url/$ca.crl
name_opt						= multiline, -esc_msb, utf8
openssl_conf					= openssl_init

[ root_ca ]
certificate						= $dir/ca/$ca/crt/$ca.crt
private_key						= $dir/ca/$ca/key/$ca.key
new_certs_dir					= $dir/ca/$ca/newcrt
serial							= $dir/ca/$ca/db/$ca.crt.srl
crlnumber						= $dir/ca/$ca/db/$ca.crl.srl
database						= $dir/ca/$ca/db/$ca.db
unique_subject					= no
default_days					= 3652
default_md						= sha512
policy							= match_pol
email_in_dn						= no
preserve						= no
name_opt						= $name_opt
cert_opt						= ca_default
copy_extensions					= none
x509_extensions					= intermediate_ca_ext
default_crl_days				= 30
crl_extensions					= crl_ext

[ intermediate_ca_ext ]
keyUsage						= critical, keyCertSign, cRLSign
basicConstraints				= critical, CA:true
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always
authorityInfoAccess				= @issuer_info
crlDistributionPoints			= @crl_info
certificatePolicies				= @policy_intermediate_ca_ext
MsCaV							= DER:02:01:02


network-ca.conf:

[ default ]
ca								= network-ca
dir								= .
base_url						= http://pki.groupesti.com
crl_url							= http://crl.groupesti.com
ocsp_url						= http://ocsp.groupesti.com
cps_url							= http://cps.groupesti.com
aia_url							= $base_url/$ca.cer
crl_url							= $crl_url/$ca.crl
name_opt						= multiline, -esc_msb, utf8
openssl_conf					= openssl_init

[ req ]
default_bits					= 8192
encrypt_key						= yes
default_md						= sha512
utf8							= yes
string_mask						= utf8only
prompt							= no
distinguished_name				= ca_dn
req_extensions					= ca_reqext
string_mask						= MASK:0x2002

[ network_ca ]
certificate						= $dir/ca/$ca/crt/$ca.crt
private_key						= $dir/ca/$ca/key/$ca.key
new_certs_dir					= $dir/ca/$ca/newcrt
serial							= $dir/ca/$ca/db/$ca.crt.srl
crlnumber						= $dir/ca/$ca/db/$ca.crl.srl
database						= $dir/ca/$ca/db/$ca.db
unique_subject					= no
default_days					= 3652
default_md						= sha512
policy							= match_pol
email_in_dn						= no
preserve						= no
name_opt						= $name_opt
cert_opt						= ca_default
copy_extensions					= none
x509_extensions					= signing_ca_ext
default_crl_days				= 1
crl_extensions					= crl_ext


More information about the openssl-users mailing list