Help required for CSR validation

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Nov 24 20:15:19 CET 2009


Wilankar, Trupti wrote:
> Hi,
> 
> I have used Certtool from GnuTLS Windows version 2.9.9.
> A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). 
> This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same.
> 
> CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req)

Those certificate requests differ in the sense that the second has
extensions. I suspect that you already tried without (from your first
mail), but anyway a patch is attached to build without. In any case
if you can please send one certificate with certtool that doesn't
contain extensions and doesn't get accepted by the authority you try.
(is there an easy way for me to try that?)

best regards.
Nikos


> 
> -----BEGIN CERTIFICATE REQUEST-----
> MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh
> MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7
> TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ
> 4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY
> TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4
> coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4
> UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B
> AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB
> ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj
> bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua
> vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09
> B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6
> Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg==
> -----END CERTIFICATE REQUEST-----
> 
> CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req)
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL
> EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd
> BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC
> AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN
> p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH
> S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ
> EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU
> UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU
> fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
> ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD
> ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw
> z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q
> /a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q
> OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+
> AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e
> f0HYlL3oOiHADwPtqJ9REuJb//s=
> -----END NEW CERTIFICATE REQUEST-----
> 
> We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR.
> 
> Thanks,
> Trupti
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch
URL: </pipermail/attachments/20091124/cc0a5e38/attachment.asc>


More information about the Gnutls-devel mailing list