问题如下：

Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (CN) and the request (CN)

可以看出，CA和REQ的DN内容是一致的，依旧报错。其实是编码的问题。

使用以下指令看编码格式：

openssl asn1parse -in /etc/pki/CA/cacert.pem

openssl asn1parse -in server01.csr

请求文件的countryName是UTF8STRING，CA证书是PRINTABLESTRING。

在openssl.cnf配置文件中有个字符编码设置string_mask=utf8only。虽然要求openssl ca证书字段都为utf8，但实际上DN的countryName仍然为PRINTABLESTRING。

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

 查阅了很多资料，都不太好处理或者无效。提供两个简单方法，1、修改签发证书的匹配策略来解决该问题。

[ policy_match ]
countryName             = supplied
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

即，将countryName原来的match修改supplied，绕过匹配。

2、修改csr文件DN域的格式为V_ASN1_PRINTABLESTRING

    X509_NAME_add_entry_by_txt(x509_name, "CN", V_ASN1_UTF8STRING, (const unsigned char*)pbCN, -1, -1, 0);X509_NAME_add_entry_by_txt(x509_name, "OU", V_ASN1_UTF8STRING, (const unsigned char*)pbOU, -1, -1, 0);X509_NAME_add_entry_by_txt(x509_name, "O", V_ASN1_UTF8STRING, (const unsigned char*)pbO, -1, -1, 0);X509_NAME_add_entry_by_txt(x509_name, "L", V_ASN1_UTF8STRING, (const unsigned char*)pbL, -1, -1, 0);X509_NAME_add_entry_by_txt(x509_name, "ST", V_ASN1_UTF8STRING, (const unsigned char*)pbST, -1, -1, 0);X509_NAME_add_entry_by_txt(x509_name, "C", V_ASN1_PRINTABLESTRING, (const unsigned char*)pbC, -1, -1, 0);