RE: Help required for CSR validation

[Wilankar, Trupti]

Hello Simon,

We have tried various combinations of DNs. But, we end up with the same error. 
We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have 
also downloaded Windows versions 2.8.5 and 2.9.9. 
CSRs generated by using certtool provided by the above 3 versions fail to get a 
valid certificate.
We face the same problem when using GnuTLS APIs to generate a CSR.

However, CSR generated by OpenSSL with the same DN fields and keys give us a 
valid trial certificate.

We are kind of stuck and do not know how to proceed further. Any guidelines to 
generate a valid CSR (acceptable by CAs) would be of great help.

Thanks,
Trupti

-----Original Message-----
From: Simon Josefsson [mailto:address@hidden 
Sent: Thursday, November 19, 2009 10:48 PM
To: Wilankar, Trupti
Cc: Nikos Mavrogiannopoulos; Konjarla, Pavan; address@hidden; Amburle, Rohan
Subject: Re: Help required for CSR validation

"Wilankar, Trupti" <address@hidden> writes:

> Hi Nikos,
> Thanks for the patch. Although the NULL fields are now visible in the CSR (as 
> verified in OpenSSL), the CSR is still not acceptable by the CAs like 
> Verisign, Thawte,  GeoTrust etc. Verisign continues to give the error 'CSR 
> encoding error. Submit a valid CSR.'
> Any thoughts as to what could be causing this issue. We have tried changing 
> various parameters of the CSR like version, signature algorithm etc.. but 
> nothing works.

One common problem is that you add too much or too little information in
the DN -- try just adding a CN of the hostname, and skip everything
else, OR try make sure that all normal fields like O, OU, L, etc are
filled in.  I've used GnuTLS to generate CSRs for against some
commercial CAs and it did work but required quite some testing to see
what they expect -- but I assume when you use OpenSSL.  You may also
need a recent GnuTLS to make sure you assert the right key usage bits.

/Simon

> Regards,
> Trupti
>
> -----Original Message-----
> From: Nikos Mavrogiannopoulos [mailto:address@hidden On Behalf Of Nikos 
> Mavrogiannopoulos
> Sent: Wednesday, November 18, 2009 11:45 PM
> To: Wilankar, Trupti
> Cc: address@hidden; Konjarla, Pavan; Amburle, Rohan
> Subject: Re: Help required for CSR validation
>
> Wilankar, Trupti wrote:
>> Hello,
>> 
>> I am from the iTP WebServer development team. The webserver runs on the HP 
>> NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 
>> standards and are using GnuTLS to extend this support.
>> We are facing problems with regards to validation of the CSR generated using 
>> the GnuTLS APIs.
>>  Though the CSR seems valid (as verified in OpenSSL and other online CSR 
>> decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
>> 
>> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After 
>> ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by 
>> GnuTLS misses NULL paddings separating the CertificationRequestInfo, 
>> signatureAlgorithm and Signature.
> [...]
>> Is it possible that the CAs are unable to generate a valid certificate due 
>> to these NULL paddings or is there another reason why these CAs fail to 
>> parse the CSR.
>
> Hi,
>  Thanks for bringing that up to me. Probably it might be some error in the 
> parsing library of the CA. I attach you a quick fix and if it works for you I 
> will add an option to encode using this format in certtool.
>
> regards,
> Nikos