Hi I was wondering if I could get some help from the community. I am having a problem processing a certificate request generated from a Nortel Contivity Switch to various versions of an OpenSSL CA (0.9.6 24 Sept 2000 and 0.9.6j April-2003). I have established previously that this can be done but it was on another OpenSSL host.
In the process of troubleshooting why the request fails to be signed by the OpenSSL host we discovered that the major symptom is with the whitespace located in the organizationName field. When the whitespace is present we receive the following error message during the signing attempt ...
C:\OpenSSL>openssl ca -in 1600test.csr -out 1600test.crt -config config.txt
Using configuration from config.txt
Loading 'screen' into random state - done
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'SE'
organizationName :T61STRING:'Uppsala Universitet'
commonName :T61STRING:'vpntest.its.uu.se'
The organizationName field needed to be the same in the
CA certificate (Uppsala Universitet) and the request (Uppsala Universitet)
===============================
Using the following parameters in the config.txt ...
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /OpenSSL
new_certs_dir = /OpenSSL/new
certificate = /OpenSSL/inter.crt
private_key = /OpenSSL/inter.key
database = /OpenSSL/ca.db.index
default_md = sha1
default_days = 365
policy = policy_match
serial = /OpenSSL/ca.db.serial
x509_extensions = usr_cert
[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = key1024.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = yes
output_password = mypass
[ req_distinguished_name ]
C = Country
ST = State or Province
L = Locality
O = Organization Name
OU = Organizational Unit Name
CN = Domain Name
emailAddress = [EMAIL PROTECTED]
[ req_attributes ]
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
#nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
===============================
Without the whitespace the request is processed fine. I have managed to decode the request ...
<30 82 02 8C 30 82 01 74 02 01 00 30 47 31 0B 30 09 06 03 55 04 06 13 02>
0 30 652: SEQUENCE {
<30 82 01 74 02 01 00 30 47 31 0B 30 09 06 03 55 04 06 13 02 53 45 31 1C>
4 30 372: . SEQUENCE {
<02 01 00>
8 02 1: . . INTEGER 0
<30 47 31 0B 30 09 06 03 55 04 06 13 02 53 45 31 1C 30 1A 06 03 55 04 0A>
11 30 71: . . SEQUENCE {
<31 0B 30 09 06 03 55 04 06 13 02 53 45>
13 31 11: . . . SET {
<30 09 06 03 55 04 06 13 02 53 45>
15 30 9: . . . . SEQUENCE {
<06 03 55 04 06>
17 06 3: . . . . . OBJECT IDENTIFIER countryName (2 5 4 6)
<13 02 53 45>
22 13 2: . . . . . PrintableString 'SE'
: . . . . . }
: . . . . }
<31 1C 30 1A 06 03 55 04 0A 14 13 55 70 70 73 61 6C 61 20 75 6E 69 76 65>
26 31 28: . . . SET {
<30 1A 06 03 55 04 0A 14 13 55 70 70 73 61 6C 61 20 75 6E 69 76 65 72 73>
28 30 26: . . . . SEQUENCE {
<06 03 55 04 0A>
30 06 3: . . . . . OBJECT IDENTIFIER organizationName (2 5 4 10)
<14 13 55 70 70 73 61 6C 61 20 75 6E 69 76 65 72 73 69 74 65 74>
35 14 19: . . . . . TeletexString 'Uppsala universitet'
: . . . . . }
: . . . . }
<31 1A 30 18 06 03 55 04 03 14 11 76 70 6E 74 65 73 74 2E 69 74 73 2E 75>
56 31 26: . . . SET {
<30 18 06 03 55 04 03 14 11 76 70 6E 74 65 73 74 2E 69 74 73 2E 75 75 2E>
58 30 24: . . . . SEQUENCE {
<06 03 55 04 03>
60 06 3: . . . . . OBJECT IDENTIFIER commonName (2 5 4 3)
<14 11 76 70 6E 74 65 73 74 2E 69 74 73 2E 75 75 2E 73 65>
65 14 17: . . . . . TeletexString 'vpntest.its.uu.se'
: . . . . . }
: . . . . }
: . . . }
===============================
What confuses me is the apparent mismatch in the string formats. The request appears to show Teletex while the CA appears to show T61. Is it possible this discrepancy might be causing the problem we are seeing with the whitespace? If so, I could use some corrective advice since I really need to get this working. If not, I could use some advice on what you feel might be the leading cause of the policy mismatch in the organizationName field. Looking for a quick response. Thanks in advance.
