Re: Generating CSR for Netscape Certificate Server based CA

[Merton Campbell Crockett]

I am responding to my own post so that others who may have a problem with
submitting a CSR to a Netscape Certificate Server will find something in the
archives that provides a possible solution.

The problem that I was having was that Netscape Certificate Server expects
the following strings bounding the encoded CSR:

        BEGIN NEW CERTIFCATE REQUEST
        END NEW CERTIFICATE REQUEST

The SSLeay utilities that I was using generate the CSR with the following
strings bounding the encoded CSR:

        BEGIN CERTIFICATE REQUEST
        END CERTIFICATE REQUEST

If you include the BEGIN and END lines with the encoded CSR into the form
displayed by the Netscape Certificate Server, the signing request is
rejected with a "bad DER encoding" error.  This is misleading as the error
has nothing to do with the DER encoding.  The CSR is being rejected because
the expected word NEW does not appear in the BEGIN and END lines.

The solution to this problem is to omit the BEGIN and END lines and only
paste the actual, encoded CSR into the form.

Merton Campbell Crockett
General Dynamics Electronic Systems 


On Sat, 29 Jan 2000, Merton Campbell Crockett wrote:

> I need to create a Certificate Signing Request for the DoD Certificate
> Authority.  DoD uses a Netscape Certificate Server to manage and sign its
> certificates.
> 
> To date, I have not been able to generate a CSR that is acceptable to the
> Netscape Certificate Server.  All requests are rejected with a "bad DER
> encoding" error.  While this may be an accurate error, I am beginning to
> suspect that the problem may be a field that is required by the Netscape
> Certificate Server but that is optional or not used by a commercial third-
> party Certificate Authority, e.g. VeriSign, Thawte, CyberTrust, etc.
> 
> Currently, I'm using Apache/Stronghold rather than Apache/mod_ssl; however,
> due to the common SSL ancestry, I'm hopeful that someone has had to address
> this problem and can provide a solution to my problem.
> 
> I have not made any changes to any SSL configuration files.  And, I have
> only used the basic utilities to convert from the PEM formats used in an
> Apache SSL environment to the DER formats used by Netscape.
> 
> Merton Campbell Crockett
> 
> 
> 

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]