We have a certificate authority that uses OpenSSL to sign certificate requestsIf I use the certificate plugin in MMC, I can generate a certificate request using "Create Custom Request", "without enrollment policy", "legacy key", detail->properties->subject, then add the required fields for CN, country, organization etc.Our CA requires that the organization, country and state fields in the request to match those in the CA, i..e. it will only sign in-house certificates. When generating requests using OpenSSL in Linux, or with OpenSSL under cygwin on XP, or with some3rd-party tools such as XCA, we set the state to "BC" either in a template or at the OpenSSL prompt, and the certificate can be signed.(openssl.cnf [policy_match] stateOrProvinceName = match, etc.)If I generate a request using the Windows plugin, and use the CA to sign it, I get an errorThe stateOrProvinceName field needed to be the same in the CA certificate (BC) and the request (BC)When I use "openssl req" to display the request, I can see no difference in the Subject line between a Windows-generated request that fails and an OpenSSL-generated request that works.I don't know whether this is a problem with the Windows plugin or with OpenSSL, although as I say it works with XCA which I believe uses the Windows certificate storeI wondered if anyone else had seen this problem.

Hi, Since this is a development related issue, I suggest that you post in our MSDN forum for discussion. MSDNArthur Xie - MSFT