You’re probably here, because you’re getting an error like this:

03/14 17:29[root@admin1-stage ca]# ./sign-csr doug_fresh
Using configuration from /ebs/openvpn/ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'California'
localityName          :ASN.1 12:'San Francisco'
organizationName      :ASN.1 12:'CompanyX'
commonName            :ASN.1 12:'Doug E. Fresh'
emailAddress          :IA5STRING:'doug@awesome.domain'
The stateOrProvinceName field needed to be the same in the
CA certificate (California) and the request (California)
03/14 17:29[root@admin1-stage ca]#

But, the field DOES match you say! Look! It says it right there! How could this be!?!?!?

Well, here’s the fix you’re looking for. Open up the openssl.cnf file on the client generating the CSR, and look for string_mask, replace “utf8″, with “nombstr”, and then generate a new CSR:

dpeters@MuckTop530:/etc$ cat /etc/ssl/openssl.cnf | grep string_mask
string_mask = nombstr
#string_mask = utf8only


Your mileage may vary on the exact location of your openssl.cnf, but find it, and change it.

Some more explanation, as I understand it – In 1999, a bunch of Dudes said that come 2003, everyone has to start encoding these common fields in SSL certs as UTF8 (AKA ASN1) starting in 2003. Well, 2003 rolled around, and nobody really paid attention to that rule. openssl 1.0 was delayed for a bazillion years, and people just patched the heck out of openssl 0.9.7 and 0.9.8. Well, apparently with openssl 1.0 it now defaults to encoding these strings in UTF8 (AKA ASN.1) . I’ve only observed the post openssl 1.0 link anecdotally, I’m not sure if this was an official policy change or not. Hey better 10 years late than never right?