Help required for CSR validation

Wilankar, Trupti trupti.wilankar at hp.com
Mon Nov 23 08:23:56 CET 2009


Hi,

I have used Certtool from GnuTLS Windows version 2.9.9.
A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.

CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req)

-----BEGIN CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh
MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd
BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7
TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ
4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY
TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4
coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4
UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B
AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB
ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj
bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua
vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09
B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6
Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg==
-----END CERTIFICATE REQUEST-----

CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL
EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd
BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC
AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN
p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH
S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ
EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU
UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU
fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD
ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw
z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q
/a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q
OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+
AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e
f0HYlL3oOiHADwPtqJ9REuJb//s=
-----END NEW CERTIFICATE REQUEST-----

We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR.

Thanks,
Trupti


-----Original Message-----
From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos
Sent: Sunday, November 22, 2009 12:40 AM
To: Wilankar, Trupti
Cc: Simon Josefsson; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan
Subject: Re: Help required for CSR validation

Wilankar, Trupti wrote:
> Hello Simon,
> 
> We have tried various combinations of DNs. But, we end up with the same error. 
> We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. 
> CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate.
> We face the same problem when using GnuTLS APIs to generate a CSR.
> 
> However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate.
> 
> We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help.

Could you send me two identical CSRs one with openssl and the other with
gnutls?





More information about the Gnutls-devel mailing list