14

With the following OpenSSL Config

[ req ] default_bits = 2048 default_md = sha256 default_keyfile = drone-ci-web.company.com.key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only prompt = no encrypt_key = no [ subject ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Missouri localityName = Locality Name (eg, city) localityName_default = Jefferson City organizationName = Organization Name (eg, company) organizationName_default = My Company organizationalUnitName = Organizational Unit (eg, team) organizationalUnitName_default = My Company Technologies commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = drone-ci-web.company.com emailAddress = Email Address emailAddress_default = [email protected] [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "Drone-CI - OpenSSL Generated Certificate" [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "Drone-CI - OpenSSL Generated Certificate" [ alternate_names ] DNS.1 = drone-ci-web.company.com

I run the following command:

sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem

and I get the following error:

vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.ccompany.com.cert.pem Generating a 2048 bit RSA private key ..............................................................................................................+++ ....................+++ writing new private key to 'drone-ci-web.company.com.key.pem' ----- problems making Certificate Request 140184216713104:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2

From what I think its telling me, one of the fields its trying to use is "Too long" and is only two characters, but from what I keep reading, the countryName_default should override the countryName and make this accept the value given for default.

OpenSSL and Operating System information:

[vagrant@jonspc ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [vagrant@jonspc ~]$ cat /etc/oracle-release Oracle Linux Server release 7.5 [vagrant@jonspc ~]$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 (Maipo)

HOWEVER, if I remove the _default lines and try again, this succeeds with the following config.

[ req ] default_bits = 2048 default_md = sha256 default_keyfile = drone-ci-web.company.com.key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only prompt = no encrypt_key = no [ subject ] countryName = US stateOrProvinceName = Missouri localityName = Jefferson City organizationName = My Company organizationalUnitName = My Company Technologies commonName = drone-ci-web.company.com emailAddress = [email protected] [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "Drone-CI - OpenSSL Generated Certificate" [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "Drone-CI - OpenSSL Generated Certificate" [ alternate_names ] DNS.1 = drone-ci-web.company.com

This works with the following output. 

[vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem Generating a 2048 bit RSA private key ..............+++ ..............+++ writing new private key to 'drone-ci-web.company.com.key.pem' -----
Improve this question
1

2 Answers 2

Reset to default
13

From the documentation:

DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT There are two separate formats for the distinguished name and attribute sections. If the prompt option is set to no then these sections just consist of field names and values: for example,

 CN=My Name OU=My Organization [email protected]

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req. An example of this kind of configuration file is contained in the EXAMPLES section. Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

 fieldName="prompt" fieldName_default="default field value" fieldName_min= 2 fieldName_max= 4

So basically what you figured out yourself.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for pointing all this out! It makes so much more sense now.
3

It's a field with a two letter constraint. In my case, USA needed to be US.

Improve this answer

1 Comment

yes, thanks for the answer. It's right in my case. You guys can take a look on this site digicert.com/kb/ssl-certificate-country-codes.htm

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.