Problem: Signing a certificate fails because of different countryName

Knowledge Base Community
, , ,
#1

Problem

When attempting to sign a self-created certificate request with the Univention CA, we get the following error:

$ univention-certificate -request <requestfile> sign
Signing request: ....
Using configuration from /etc/univention/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :<request>:'DE'
stateOrProvinceName   :<request>:'DE'
localityName          :<request>:'DE'
...
...
The countryName field is different between
CA certificate (DE) and the request (DE)

Investigation

So our CA certificate and the request both have DE for the countryName, but the progress stops and says they are different. How come? We can check what the configuration looks like for the CA certificate first:

$ grep "[ req_distinguished_name ]" -FA8 /etc/univention/ssl/openssl.cnf
[ req_distinguished_name ]

C       = DE
ST      = DE
L       = DE
O       = ...
OU      = Univention Corporate Server
CN      = Univention Corporate Server Root CA (ID=...)
emailAddress    = ...

Looks fine. But somehow DE != DE and we have to dig deeper, hence we check out the CA itself as well as the request.

1. Check the encoding of the request file:

$ openssl req -in <requestfile> -noout -text -nameopt multiline,show_type | grep -i country
             countryName               = UTF8STRING:DE

2. Check the encoding of the CA:

openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text -nameopt multiline,show_type | grep -i country
             countryName               = PRINTABLESTRING:DE

Now we know what’s the problem. The CA expects the countryName string to be encoded in PRINTABLESTRING but the request file was created using UTF8STRING.

Solution

Unfortunately, it is not possible to directly edit an existing certificate request (CSR) to change the countryName value from UTF8STRING to PRINTABLESTRING as the CSR is digitally signed. The best practice is to create a new certificate request, making sure that all fields, including the countryName, are encoded correctly.

If this is not possible from the request side, it would be worth trying to create a signed certificate with our univention-certificate tool.

#2

This topic was automatically closed after 24 hours. New replies are no longer allowed.

#3
Mastodon