I am creating a simple PKI to use TLS with an LDAP server.
I created the root CA request and certificate with this in the config file:
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "example"
I then created the signing CA request and certificate with this in the config file:
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "example"
Then I created the ldap request with this in the config file:
[ server_dn ]
0.domainComponent = "org"
1.domainComponent = "example"
2.domainComponent = "ldap"
But when I want to create the certificate with
openssl ca -config etc/signing-ca.conf -in certs/ldap.example.org.csr -out certs/ldap.example.org.crt -extensions server_ext
I get this message:
The domainComponent field needed to be the same in the CA certificate (example) and the request (ldap)
I can see that the ldap.example.org.key and ldap.example.org.crt files are created, the .crt file beeing empty.
Am I misunderstanding something in this process?
Best Answer
Your OpenSSL config file will have a option called
policy
which points to a policy section. For examplepolicy = [policy_match]
. A[policy_match]
section (usually just below the option) will list which elements of the Distinguished Name are eitheroptional
,supplied
ormatch
. For example:Chances are you have a
domainComponent=match
as shown in the example, which means that the request's domainComponent must be the same as that of the certificate signing the request (the CA certificate). Change it tooptional
(it doesn't have to be present in the request) or tosupplied
(it has to be present, but it doesn't have to match).More details are available in the OpenSSL CA man page under Policy Format.