[SOLVED] Why the stateOrProvinceName in CSR should match with CA?

Why the stateOrProvinceName in CSR should match with CA?

To study mTLS, I followed the guide on the following website to create the necessary certificates:

https://medium.com/@nisanth.m.s/guide-setting-up-mtls-authentication-with-openssl-for-client-server-communication-38c0a5cbfa05

First, I created a CA with the following information:

Country Name (2 letter code) [JP]:
State or Province Name (full name) []:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [private]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Next, I created a CSR with the following details and tried to sign it with the CA created above.

Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:tokyo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client.yourdomain.com.
Email Address []:

But I encountered the following error:

# openssl ca -config /root/mtls/openssl.cnf -days 1650 -notext -batch -in client.csr -out client.cert.pem

Using configuration from /root/mtls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field does not exist in the CA certificate,
the 'policy' is misconfigured

After investigating this error, I found that the stateOrProvinceName value in the CSR must match that of the CA. When I recreated the CA and CSR with matching values, the CSR was successfully signed:

# CA
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [minato]:
Organization Name (eg, company) [private]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
# CSR
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:minato
Organization Name (eg, company) [Internet Widgits Pty Ltd]:private
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client.yourdomain.com.
Email Address []:

I would like to understand why the stateOrProvinceName values in the CSR and CA must match. It seems reasonable for a CSR creator and a signing CA to be physically distant, such as a user in Japan requesting a certificate from Verisign.

Solution

There is no general requirement which entries from certificate and CA must match. It is probably a restriction in your specific openssl.cnf. Look out for something like this and change it based on your actual requirements:

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match