I missed something basic and obvious about signing client CSR using the openssl command.
I (imitate) two organizations, one is a certification authority organization (exists in California) and the other is a client organization that is in WA state.
I created a certification authority on Linux using the openssl command by following these steps. http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
I have two files 1. cakey.pem containing the CA private key. This particular is also associated with a passphrase. 2. cacert.pem containing a self-signed CA certificate
Then I want to sign all CSR from clients. A Washington client sends me a client-csr.pem file. I read this page about CSR signing and examples at the end. http://www.openssl.org/docs/apps/ca.html
The command I'm trying to execute and the error message is as follows: I run these commands on the CA system, the same system where I created cakey.pem (CA private key) and cacert.pem (CA self-signed certificate)
$ openssl ca -in demoCA/csrs/client-csr.pem -out client-cert.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (California) and the request (WA)
The question is why the status name should be the same for both the CA certificate and the CSR client.
The client is not in California, so when they create the CSR, they put their own state name (WA). As a certification authority, I confirmed that the client is indeed located in WA, and that the CSR file did indeed come from them. I want to sign this CSR and return the certificate to the client.
rpkrpk
source share