Project

General

Profile

Bug #1318

Certificate error: certificate subject does not match signing request subject

Added by Zinger daZinger over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
Start date:
03/02/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Hi - I'm trying to apply a certificate from StartCom/Startssl.com to my PFSense 2.0-RC1 (amd64) -built on Wed Mar 2 12:54:13 EST 2011 - instance.

I'm getting this error:

The certificate subject 'emailAddress=, description=abc123xxxyyyzzz, OU=StartCom Free Certificate Member, O=Persona Not Validated, CN=host.domain.com, C=US' does not match the signing request subject.

csr.txt (1.82 KB) csr.txt CSR sent to register.com Erik Chow, 03/28/2011 12:12 AM
certificate.crt (2.17 KB) certificate.crt certificate for my server Erik Chow, 03/28/2011 12:12 AM
Intermediary_Certificate_2.crt (1.65 KB) Intermediary_Certificate_2.crt register.com Intermediate 2 cert Erik Chow, 03/28/2011 12:12 AM
Intermediary_Certificate_1.crt (1.49 KB) Intermediary_Certificate_1.crt register.com intermediate 1 cert Erik Chow, 03/28/2011 12:12 AM
Root_Certificate.crt (1.48 KB) Root_Certificate.crt register.com root cert Erik Chow, 03/28/2011 12:12 AM
csr.txt (1.13 KB) csr.txt CSR Mark Laagland, 03/29/2011 03:30 PM

History

#1 Updated by Ermal Luçi over 8 years ago

Can you show the subject that is displayed on pfSense screen of the signing request?

#2 Updated by Erik Chow over 8 years ago

I am having the same issue. I tried to use a register.com SSL cert, which has intermediate CAs. Upon getting the cert from register.com, pfsense complains about "does not match the signing request subject".

My pfsense version info:
2.0-RC1 (amd64)
built on Sat Mar 26 00:18:39 EDT 2011

#3 Updated by Mark Laagland over 8 years ago

I can also confirm this issue.

2.0-RC1 (i386)
built on Mon Mar 28 16:09:59 EDT 2011

The CSR (included) was signed using the CACert Class 1 root certificate. However, pfSense refuses the signed certificate. Getting

The certificate subject 'CN=stormfront-noord.int.storm.vu' does not match the signing request subject.

(CACert removes most fields, so pfSense is only complaining about the CN field)

CSR included. For obvious reasons, certificate not included.

#4 Updated by R M about 8 years ago

Also confirmed with RapidSSL with GeoTrust as the intermediate CA.

2.0-RC1 (amd64)
built on Thu Apr 14 11:13:23 EDT 2011

#5 Updated by David Prinzing about 8 years ago

I can also confirm this is the case with PositiveSSL's issued from Comodo.

2.0-RC1 (amd64)
built on Thu Apr 28 03:47:19 EDT 2011

#6 Updated by Ermal Luçi about 8 years ago

Possibly reading this link https://pkiwidgets.quovadisglobal.com/pkiwidgets/matchCertAndCSR.aspx the same procedure should be used form the GUI instead of pure text based matching?!

#7 Updated by Jim Pingle about 8 years ago

Ermal - that is exactly what is in the works. Check ticket #1438 - this ticket can probably be closed in favor of that one, which is actually the solution for this ticket once implemented.

#8 Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Feedback

Can anyone reproduce this since #1438 has been fixed/closed?

#9 Updated by Chris Buechler almost 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF