OpenSSL – DomainComponent Error with SSL Certificate

opensslssl-certificate

I am creating a simple PKI to use TLS with an LDAP server.

I created the root CA request and certificate with this in the config file:

[ ca_dn ]
0.domainComponent       = "org"
1.domainComponent       = "example"

I then created the signing CA request and certificate with this in the config file:

[ ca_dn ]
0.domainComponent       = "org"
1.domainComponent       = "example"

Then I created the ldap request with this in the config file:

[ server_dn ]
0.domainComponent       = "org"
1.domainComponent       = "example"
2.domainComponent       = "ldap"

But when I want to create the certificate with

openssl ca -config etc/signing-ca.conf -in certs/ldap.example.org.csr -out certs/ldap.example.org.crt -extensions server_ext

I get this message:

The domainComponent field needed to be the same in the CA certificate (example) and the request (ldap)

I can see that the ldap.example.org.key and ldap.example.org.crt files are created, the .crt file beeing empty.
Am I misunderstanding something in this process?

Best Answer

Your OpenSSL config file will have a option called policy which points to a policy section. For example policy = [policy_match]. A [policy_match] section (usually just below the option) will list which elements of the Distinguished Name are either optional, supplied or match. For example:

[policy_match]
countryName=match
organizationName=match
organizationalUnitName=optional
domainComponent=match

Chances are you have a domainComponent=match as shown in the example, which means that the request's domainComponent must be the same as that of the certificate signing the request (the CA certificate). Change it to optional (it doesn't have to be present in the request) or to supplied (it has to be present, but it doesn't have to match).

More details are available in the OpenSSL CA man page under Policy Format.

Related Topic