[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Help required for CSR validation
From: |
Wilankar, Trupti |
Subject: |
RE: Help required for CSR validation |
Date: |
Thu, 19 Nov 2009 10:43:22 +0000 |
Hi Nikos,
Thanks for the patch. Although the NULL fields are now visible in the CSR (as
verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign,
Thawte, GeoTrust etc. Verisign continues to give the error 'CSR encoding
error. Submit a valid CSR.'
Any thoughts as to what could be causing this issue. We have tried changing
various parameters of the CSR like version, signature algorithm etc.. but
nothing works.
Regards,
Trupti
-----Original Message-----
From: Nikos Mavrogiannopoulos [mailto:address@hidden On Behalf Of Nikos
Mavrogiannopoulos
Sent: Wednesday, November 18, 2009 11:45 PM
To: Wilankar, Trupti
Cc: address@hidden; Konjarla, Pavan; Amburle, Rohan
Subject: Re: Help required for CSR validation
Wilankar, Trupti wrote:
> Hello,
>
> I am from the iTP WebServer development team. The webserver runs on the HP
> NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1
> standards and are using GnuTLS to extend this support.
> We are facing problems with regards to validation of the CSR generated using
> the GnuTLS APIs.
> Though the CSR seems valid (as verified in OpenSSL and other online CSR
> decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
>
> We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After
> ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by
> GnuTLS misses NULL paddings separating the CertificationRequestInfo,
> signatureAlgorithm and Signature.
[...]
> Is it possible that the CAs are unable to generate a valid certificate due to
> these NULL paddings or is there another reason why these CAs fail to parse
> the CSR.
Hi,
Thanks for bringing that up to me. Probably it might be some error in the
parsing library of the CA. I attach you a quick fix and if it works for you I
will add an option to encode using this format in certtool.
regards,
Nikos
- Help required for CSR validation, Wilankar, Trupti, 2009/11/17
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/18
- RE: Help required for CSR validation,
Wilankar, Trupti <=
- Re: Help required for CSR validation, Simon Josefsson, 2009/11/19
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/20
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/21
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/23
- Re: Help required for CSR validation, Daniel Kahn Gillmor, 2009/11/23
- RE: Help required for CSR validation, Wilankar, Trupti, 2009/11/24
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/24
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/24
- Re: Help required for CSR validation, Boyan Kasarov, 2009/11/24
- Re: Help required for CSR validation, Nikos Mavrogiannopoulos, 2009/11/24