0

We were just required to update our SSL certificate after the first year's expiration date come up. We've done this several times before with no issues—Google the right flags to use with openssl, plug that into Comodo, upload the certs and we're good to go.

This time we ran into all sorts of problems; our (outdated) macOS Servers kept kicking back our certs as invalid. This could very well be a problem on the macOS side, as these are years out of date and I wouldn't be surprised if they don't have to code to talk updated encryption techniques. But we also had a problem with our mail server: it's working with the cert we requested from the CSR generator at https://www.digicert.com/easy-csr/openssl.htm, but it lost the identity information: name of company, city state country.

Appears to be a cosmetic problem, but important cosmetics. What might have caused this? We generated the CSR using OpenSSL 2.6.5 on macOS 10.14. (Yes, also a few years old, but we have good reasons to stick with Mojave.)

Jeff Porten
  • 131
  • 4
  • (1) the CA controls what identity information to put in your cert; according to standards it should only be things they have validated, and except for EV (did you pay for EV?) nowadays that generally does not include organization and location, although it depends on exactly what type of cert you got and the CA's applicable Subscriber Agreement and Certification Practice Statement -- did you read those? – dave_thompson_085 Sep 10 '21 at 05:34
  • (2) if peers are claiming your cert invalid, it won't be because of any identity information other than _sometimes_ your domainname in CN or SAN, but you don't say what the actual error(s) are; one fairly common error is to not correctly configure the necessary chain/intermediate cert(s) along with your entity/server cert. – dave_thompson_085 Sep 10 '21 at 05:36
  • PS: MacOS uses _LibreSSL_ which is a fork of OpenSSL, not really actual true OpenSSL, but at the user level the minor internal differences usually don't matter. Version numbers 2.anything are characteristic of Libre and not Open. – dave_thompson_085 Sep 10 '21 at 05:38
  • Or, did you send the correct _identity_ in the first place. Have you checked that the CSR contains the required Subject? `openssl req -in -noout -subject` should show what you requested. – garethTheRed Sep 10 '21 at 05:54
  • I don't think we paid for EV in this license—if that means that such information automatically gets stripped from the cert, let me know and I'll pass that along to the client. We tried it twice and the information was stripped both times, with interactive questions during the certificate request and by including a -subj tag in the command line. – Jeff Porten Sep 13 '21 at 00:52
  • The cert seems to work fine, we're just concerned about the data that shows when a user chooses to display the certificate. – Jeff Porten Sep 13 '21 at 00:53

0 Answers0