RC4 is a symmetric cipher which does not appear in the certificate request and in the resulting certificate itself. What can be important is the message digest algorithm; apparently your export-restricted CA requires MD5.
So first create the CSR via:
openssl req -new -key mykey.private -md5 -out my.csr
(actually -md5
is still the default).
Then answer the prompts appropriately. After the file is generated, you can examine its contents in text form:
openssl req -in my.csr -text -noout
Make sure that the Subject, Public Key Algorithm and Signature Algorithm fields are correct before submitting the CSR; you could also see that there is no mention of RC4 or any other symmetric encryption algorighm there.
I have run into something similar in the past, and using openssl to convert the certificates from what they were into what I needed worked.
This website seems to cover the commands fairly well enough, but I don't know anything about their automated tool, so use with caution if you go that route.
https://www.sslshopper.com/ssl-converter.html
You can also try digicert's website, they have lots of useful docs and tools for beginners. I used them quite heavily for a while until I got used to the openssl tool on linux.
Also possibly relevant:
https://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem
For reference, I have added the commands here:
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
To go a bit deeper, the CSR is generated using the private key. If the CSR is in the wrong format and you need to use the existing private key (can't generate a new one for instance), you might want to try converting the private key, then creating a new CSR. Then tell the CA what format to issue the new certificate. This should eliminate the incompatibility.
As always, back up what you have before trying anything.
Best Answer
There isn't a way to override a field from the CSR using the OpenSSL configuration file. The configuration file can only supply default values. There are two options that I can see:
openssl ca
command to sign a CSR, you can override the subject from the CSR using the-subject
argument. So, get the subject from the CSR (openssl req -noout -subject -in req.pem
), search-and-replace the fields you want to change, and specify the altered subject on the command line with-subject
.match
for the static fields, i.e. your CA certificate contains the static values in its own fields (e.g.O
,OU
).