OpenSSL identity information did not stick in certificate

Jeff Porten

1/9/23, 11:40 PM

We were just required to update our SSL certificate after the first year's expiration date come up. We've done this several times before with no issues—Google the right flags to use with openssl, plug that into Comodo, upload the certs and we're good to go.

This time we ran into all sorts of problems; our (outdated) macOS Servers kept kicking back our certs as invalid. This could very well be a problem on the macOS side, as these are years out of date and I wouldn't be surprised if they don't have to code to talk updated encryption techniques. But we also had a problem with our mail server: it's working with the cert we requested from the CSR generator at https://www.digicert.com/easy-csr/openssl.htm, but it lost the identity information: name of company, city state country.

Appears to be a cosmetic problem, but important cosmetics. What might have caused this? We generated the CSR using OpenSSL 2.6.5 on macOS 10.14. (Yes, also a few years old, but we have good reasons to stick with Mojave.)

121

0 + 0

mac-osx

openssl

ssl-certificate

dave_thompson_085

1/10/23, 5:34 AM

(1) the CA controls what identity information to put in your cert; according to standards it should only be things they have validated, and except for EV (did you pay for EV?) nowadays that generally does not include organization and location, although it depends on exactly what type of cert you got and the CA's applicable Subscriber Agreement and Certification Practice Statement -- did you read those?

dave_thompson_085

1/10/23, 5:36 AM

(2) if peers are claiming your cert invalid, it won't be because of any identity information other than _sometimes_ your domainname in CN or SAN, but you don't say what the actual error(s) are; one fairly common error is to not correctly configure the necessary chain/intermediate cert(s) along with your entity/server cert.

dave_thompson_085

1/10/23, 5:38 AM

PS: MacOS uses _LibreSSL_ which is a fork of OpenSSL, not really actual true OpenSSL, but at the user level the minor internal differences usually don't matter. Version numbers 2.anything are characteristic of Libre and not Open.

garethTheRed

1/10/23, 5:54 AM

Or, did you send the correct _identity_ in the first place. Have you checked that the CSR contains the required Subject? `openssl req -in <file> -noout -subject` should show what you requested.

Jeff Porten

1/13/23, 12:52 AM

I don't think we paid for EV in this license—if that means that such information automatically gets stripped from the cert, let me know and I'll pass that along to the client. We tried it twice and the information was stripped both times, with interactive questions during the certificate request and by including a -subj tag in the command line.

Jeff Porten

1/13/23, 12:53 AM

The cert seems to work fine, we're just concerned about the data that shows when a user chooses to display the certificate.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: OpenSSL identity information did not stick in certificate

TH: ข้อมูลประจำตัว OpenSSL ไม่ติดอยู่ในใบรับรอง

RO: Informațiile de identitate OpenSSL nu au fost lipite în certificat

RU: Информация об удостоверении OpenSSL не сохраняется в сертификате

VI: Thông tin nhận dạng OpenSSL không dính vào chứng chỉ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.