Problem signing requests from Microsoft certificate wizard

Tue, 03 Feb 2009 14:04:57 -0800
We have a certificate authority that uses OpenSSL to sign certificate requests 


If I use the certificate plugin in MMC, I can generate a certificate 
request using "Create Custom Request", "without enrollment policy", 
"legacy key", detail->properties->subject, then add the required fields 
for CN, country, organization etc.

(on Windows 7 beta FWIW, but I could try in XP)


Our CA requires that the organization, country and state fields in the 
request to match those in the CA, i..e. it will only sign in-house 
certificates. When generating requests using OpenSSL in Linux, or with 
OpenSSL under cygwin on XP, or with some
3rd-party tools such as XCA, we set the state to "BC" either in a 
template or at the OpenSSL prompt, and the certificate can be signed.

(openssl.cnf [policy_match] stateOrProvinceName = match, etc.)


If I generate a request using the Windows plugin, and use the CA to sign 
it, I get an error
The stateOrProvinceName field needed to be the same in the CA certificate 
(BC) and the request (BC)



When I use "openssl req" to display the request, I can see no difference 
in the Subject line between a Windows-generated request that fails and an 
OpenSSL-generated request that works. If I look at the binary in DER 
format, I see

(openssl)
Subject: C=CA, ST=BC, L=Vancouver, O=TRIUMF, CN=andrew
od -a includes :
eot ack dc3 stx   C   A   1  vt   0
dc3 stx   B   C   1 dc2   0
dc3 ack   T   R   I   U   M   F   1  si   0
(windows)
Subject: C=CA, O=TRIUMF, CN=andrew, ST=BC
od -a :
dc3 stx   C   A   1  si   0
ff ack   T   R   I   U   M   F   1  si   0
ff stx   B   C   0 soh  us


but I don't know what I'm doing .. I don't know if the difference between 
"BC0" and "BC1" is the problem, or just a feature of slightly different 
input.



I tried using -utf8 but no change. Also tried "Alberta". Also a match 
failure with the organization string if the match on state is relaxed.



I don't know whether this is a problem with the Windows plugin or with 
OpenSSL, although as I say it works with XCA which I believe uses the 
Windows certificate store



openssl-0.9.8b-10.el5_2.1.x86_64  (RHEL) and 
openssl-0.9.7a-43.17.el4_7.2.x86_64


I wondered if anyone else had seen this problem.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to