Re: Help required for CSR validation

[Nikos Mavrogiannopoulos]

Wilankar, Trupti wrote:
> Hi,
> 
> I have used Certtool from GnuTLS Windows version 2.9.9.
> A 2048 bit private key was generated using Certtool (Command: certtool -p 
> --outfile priv.key --bits 2048). 
> This private key was used to create CSRs, both on OpenSSL and Certtool. The 
> DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.
> 
> CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out 
> openssl.req)

Those certificate requests differ in the sense that the second has
extensions. I suspect that you already tried without (from your first
mail), but anyway a patch is attached to build without. In any case
if you can please send one certificate with certtool that doesn't
contain extensions and doesn't get accepted by the authority you try.
(is there an easy way for me to try that?)

best regards.
Nikos


> 
> -----BEGIN CERTIFICATE REQUEST-----
> MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh
> MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7
> TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ
> 4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY
> TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4
> coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4
> UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B
> AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB
> ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj
> bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua
> vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09
> B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6
> Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg==
> -----END CERTIFICATE REQUEST-----
> 
> CSR from Certtool: (Command: certtool --generate-request --load-privkey 
> priv.key --outfile gnutls.req)
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL
> EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC
> AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN
> p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH
> S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ
> EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU
> UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU
> fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
> ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD
> ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw
> z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q
> /a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q
> OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+
> AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e
> f0HYlL3oOiHADwPtqJ9REuJb//s=
> -----END NEW CERTIFICATE REQUEST-----
> 
> We were able to generate a trial certificate from VeriSign using the OpenSSL 
> CSR but got the error ' CSR encoding error. Submit a valid CSR.' with 
> Certtool CSR.
> 
> Thanks,
> Trupti

diff --git a/src/certtool.c b/src/certtool.c
index d8204be..281f7fd 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1877,7 +1877,7 @@ generate_request (void)
       if (ret < 0)
        error (EXIT_FAILURE, 0, "set_pass: %s", gnutls_strerror (ret));
     }
-
+#if 0
   ca_status = get_ca_status ();
   if (ca_status)
     path_len = get_path_len ();
@@ -1963,7 +1963,7 @@ generate_request (void)
       if (ret < 0)
        error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
     }
-
+#endif
   ret = gnutls_x509_crq_set_key (crq, key);
   if (ret < 0)
     error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (ret));