[EMAIL PROTECTED] (J. B. Chambers) writes: > Hi, folks. I hope this is an easy question. I've searched the -users archive and >also on google and found a couple of similar reports, but no cogent answers. > > I just renewed my web server's Verisign Secure Server certificate (our 3rd year with >them). The certificate they sent me this year is slightly larger than previously >(1229 bytes rather than 912), and can't be loaded. When I try to inspect it with >openssl x509 -text, I get this error message: > > unable to load certificate > 11366:error:0D0A0007:asn1 encoding routines:d2i_X509_ALGOR:expecting an asn1 >sequence:x_algor.c:85:address=1539371 offset=0 > 11366:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1 >error:x_x509.c:104:address=1538600 offset=771 > 11366:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: > > Verisign tech support basically told me it was my problem to tell them what was >wrong with the cert (!). I've doublechecked the original CSR and it was OK. Does this >problem look familiar to anyone? The certificate is hosed. It's not even correct BER.
Here's a BER decoding of the certificate: 00000 ; 30 82 03 8e <0> CONSTRUCTED SEQUENCE, 910 octets 00004 ; 30 82 02 fb <1> CONSTRUCTED SEQUENCE, 763 octets 00008 ; a0 03 <2> CONSTRUCTED CONTEXT-SPECIFIC 0, 3 octets 00010 ; 02 01 <3> INTEGER, 1 octets = 2 00012 ; 02 . 00013 ; 02 10 <2> INTEGER, 16 octets = 00015 ; 39 28 ca af d7 1d e6 59 f0 29 76 df 11 8f 78 07 9(.....Y.)v...x. 00031 ; 30 0d <2> CONSTRUCTED SEQUENCE, 13 octets 00033 ; 06 09 <3> OBJECT IDENTIFIER, 9 octets = 1 2 840 113549 1 1 4 00035 ; 2a 86 48 86 f7 0d 01 01 04 *.H...... 00044 ; 05 00 <3> NULL, 0 octets 00046 ; 30 5f <2> CONSTRUCTED SEQUENCE, 95 octets 00048 ; 31 0b <3> CONSTRUCTED SET, 11 octets 00050 ; 30 09 <4> CONSTRUCTED SEQUENCE, 9 octets 00052 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 6 00054 ; 55 04 06 U.. 00057 ; 13 02 <5> PrintableString, 2 octets = 00059 ; 55 53 US 00061 ; 31 20 <3> CONSTRUCTED SET, 32 octets 00063 ; 30 1e <4> CONSTRUCTED SEQUENCE, 30 octets 00065 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 10 00067 ; 55 04 0a U.. 00070 ; 13 17 <5> PrintableString, 23 octets = 00072 ; 52 53 41 20 44 61 74 61 20 53 65 63 75 72 69 74 RSA Data Securit 00088 ; 79 2c 20 49 6e 63 2e y, Inc. 00095 ; 31 2e <3> CONSTRUCTED SET, 46 octets 00097 ; 30 2c <4> CONSTRUCTED SEQUENCE, 44 octets 00099 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 11 00101 ; 55 04 0b U.. 00104 ; 13 25 <5> PrintableString, 37 octets = 00106 ; 53 65 63 75 72 65 20 53 65 72 76 65 72 20 43 65 Secure Server Ce 00122 ; 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 rtification Auth 00138 ; 6f 72 69 74 79 ority 00143 ; 30 1e <2> CONSTRUCTED SEQUENCE, 30 octets 00145 ; 17 0d <3> UTCTime, 13 octets = Fri Jan 18 00:00:00 2002 +0000 00147 ; 30 32 30 31 31 38 30 30 30 30 30 30 5a 020118000000Z 00160 ; 17 0d <3> UTCTime, 13 octets = Sat Feb 15 23:59:59 2003 +0000 00162 ; 30 33 30 32 31 35 32 33 35 39 35 39 5a 030215235959Z 00175 ; 30 81 9b <2> CONSTRUCTED SEQUENCE, 155 octets 00178 ; 31 0b <3> CONSTRUCTED SET, 11 octets 00180 ; 30 09 <4> CONSTRUCTED SEQUENCE, 9 octets 00182 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 6 00184 ; 55 04 06 U.. 00187 ; 13 02 <5> PrintableString, 2 octets = 00189 ; 55 53 US 00191 ; 31 0e <3> CONSTRUCTED SET, 14 octets 00193 ; 30 0c <4> CONSTRUCTED SEQUENCE, 12 octets 00195 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 8 00197 ; 55 04 08 U.. 00200 ; 13 05 <5> PrintableString, 5 octets = 00202 ; 54 65 78 61 73 Texas 00207 ; 31 0f <3> CONSTRUCTED SET, 15 octets 00209 ; 30 0d <4> CONSTRUCTED SEQUENCE, 13 octets 00211 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 7 00213 ; 55 04 07 U.. 00216 ; 14 06 <5> TeletexString, 6 octets = 00218 ; 41 75 73 74 69 6e Austin 00224 ; 31 26 <3> CONSTRUCTED SET, 38 octets 00226 ; 30 24 <4> CONSTRUCTED SEQUENCE, 36 octets 00228 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 10 00230 ; 55 04 0a U.. 00233 ; 14 1d <5> TeletexString, 29 octets = 00235 ; 55 6e 69 76 65 72 73 69 74 79 20 6f 66 20 54 65 University of Te 00251 ; 78 61 73 20 61 74 20 41 75 73 74 69 6e xas at Austin 00264 ; 31 27 <3> CONSTRUCTED SET, 39 octets 00266 ; 30 25 <4> CONSTRUCTED SEQUENCE, 37 octets 00268 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 11 00270 ; 55 04 0b U.. 00273 ; 14 1e <5> TeletexString, 30 octets = 00275 ; 44 65 70 61 72 74 6d 65 6e 74 20 6f 66 20 43 6f Department of Co 00291 ; 6d 70 75 74 65 72 20 53 63 69 65 6e 63 65 mputer Science 00305 ; 31 1a <3> CONSTRUCTED SET, 26 octets 00307 ; 30 18 <4> CONSTRUCTED SEQUENCE, 24 octets 00309 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 4 3 00311 ; 55 04 03 U.. 00314 ; 14 11 <5> TeletexString, 17 octets = 00316 ; 77 77 77 2e 63 73 2e 75 74 65 78 61 73 2e 65 64 www.cs.utexas.ed 00332 ; 75 u 00333 ; 30 81 9f <2> CONSTRUCTED SEQUENCE, 159 octets 00336 ; 30 0d <3> CONSTRUCTED SEQUENCE, 13 octets 00338 ; 06 09 <4> OBJECT IDENTIFIER, 9 octets = 1 2 840 113549 1 1 1 00340 ; 2a 86 48 86 f7 0d 01 01 01 *.H...... 00349 ; 05 00 <4> NULL, 0 octets 00351 ; 03 81 8d <3> BIT STRING, 141 octets = 001100001000000110001001000000101000000110000001000000001110001001101101011111111011101011011010101011101111010111100001010001010011010101100101111010011100100111010110011000101111001000101000110000010001001000000111000011011011101100000010010001100111010101001011110010101100010010110101011010100100111011110110011110100110001100000010101001100101010100100000010110101000101101101111000000111101000000101010101000001001110010010011110100110010100001111101001001110101001000101011011101110011110110111011011001001101000100010010010010001100010101000101010011010101101000101101001010101010011101000000111101001111100011101101011111110010010001101101010011011011001011001100110101000101101010011111111000001000011000001011010001101111011111101010011000001100101111101111111000000011011111001010110011111100101111011001010110000100001100101000100110100100111001000000100000111100101001011001001100000110111111010000101111001011! 0010010100111110000011111000100100000110101111001100110000010111001010110100101001100010010110100110100001110100010110101101100000110011000101100001101011010000001000000011000000010000000000000001 00354 ; 00 30 81 89 02 81 81 00 e2 6d 7f ba da ae f5 e1 .0.......m...... 00370 ; 45 35 65 e9 c9 d6 62 f2 28 c1 12 07 0d bb 02 46 E5e...b.(......F 00386 ; 75 4b ca c4 b5 6a 4e f6 7a 63 02 a6 55 20 5a 8b uK...jN.zc..U Z. 00402 ; 6f 03 d0 2a a0 9c 93 d3 28 7d 27 52 2b 77 3d bb o..*....(}'R+w=. 00418 ; 64 d1 12 48 c5 45 4d 5a 2d 2a a7 40 f4 f8 ed 7f d..H.EMZ-*.@.... 00434 ; 24 6d 4d b2 cc d4 5a 9f e0 86 0b 46 f7 ea 60 cb $mM...Z....F..`. 00450 ; ef e0 37 ca cf cb d9 58 43 28 9a 4e 40 83 ca 59 ..7....XC(.N@..Y 00466 ; 30 6f d0 bc b2 53 e0 f8 90 6b cc c1 72 b4 a6 25 0o...S...k..r..% 00482 ; a6 87 45 ad 83 31 61 ad 02 03 01 00 01 ..E..1a...... 00495 ; a3 82 01 10 <2> CONSTRUCTED CONTEXT-SPECIFIC 3, 272 octets 00499 ; 30 82 01 0c <3> CONSTRUCTED SEQUENCE, 268 octets 00503 ; 30 09 <4> CONSTRUCTED SEQUENCE, 9 octets 00505 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 29 19 00507 ; 55 1d 13 U.. 00510 ; 04 02 <5> OCTET STRING, 2 octets = 00512 ; 30 00 0. 00514 ; 30 0b <4> CONSTRUCTED SEQUENCE, 11 octets 00516 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 29 15 00518 ; 55 1d 0f U.. 00521 ; 04 04 <5> OCTET STRING, 4 octets = 00523 ; 03 02 05 a0 .... 00527 ; 30 3c <4> CONSTRUCTED SEQUENCE, 60 octets 00529 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 29 31 00531 ; 55 1d 1f U.. 00534 ; 04 35 <5> OCTET STRING, 53 octets = 00536 ; 30 33 30 31 a0 2f a0 2d 86 2b 68 74 74 70 3a 2f 0301./.-.+http:/ 00552 ; 2f 63 72 6c 2e 76 65 72 69 73 69 67 6e 2e 63 6f /crl.verisign.co 00568 ; 6d 2f 52 53 41 53 65 63 75 72 65 53 65 72 76 65 m/RSASecureServe 00584 ; 72 2e 63 72 6c r.crl 00589 ; 30 44 <4> CONSTRUCTED SEQUENCE, 68 octets 00591 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 29 32 00593 ; 55 1d 20 U. 00596 ; 04 3d <5> OCTET STRING, 61 octets = 00598 ; 30 3b 30 39 06 0b 60 86 48 01 86 f8 45 01 07 17 0;09..`.H...E... 00614 ; 03 30 2a 30 28 06 08 2b 06 01 05 05 07 02 01 16 .0*0(..+........ 00630 ; 1c 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 .https://www.ver 00646 ; 69 73 69 67 6e 2e 63 6f 6d 2f 72 70 61 isign.com/rpa 00659 ; 30 1d <4> CONSTRUCTED SEQUENCE, 29 octets 00661 ; 06 03 <5> OBJECT IDENTIFIER, 3 octets = 2 5 29 37 00663 ; 55 1d 25 U.% 00666 ; 04 16 <5> OCTET STRING, 22 octets = 00668 ; 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 0...+.........+. 00684 ; 01 05 05 07 03 02 ...... 00690 ; 30 19 <4> CONSTRUCTED SEQUENCE, 25 octets 00692 ; 06 0a <5> OBJECT IDENTIFIER, 10 octets = 2 16 840 1 113733 1 6 15 00694 ; 60 86 48 01 86 f8 45 01 06 0f `.H...E... 00704 ; 04 0b <5> OCTET STRING, 11 octets = 00706 ; 16 09 36 32 37 35 32 34 36 34 38 ..627524648 00717 ; 30 34 <4> CONSTRUCTED SEQUENCE, 52 octets 00719 ; 06 08 <5> OBJECT IDENTIFIER, 8 octets = 1 3 6 1 5 5 7 1 1 00721 ; 2b 06 01 05 05 07 01 01 +....... 00729 ; 04 28 <5> OCTET STRING, 40 octets = 00731 ; 30 26 30 24 06 08 2b 06 01 05 05 07 30 01 86 18 0&0$..+.....0... 00747 ; 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76 65 72 69 http://ocsp.veri 00763 ; 73 69 67 6e 2e 3d 95 b0 sign.=.. 00771 ; 82 57 <1> CONTEXT-SPECIFIC 2, 87 octets = 00773 ; 38 93 b4 19 8a f8 46 91 c2 28 4f f6 68 61 f7 b0 8.....F..(O.ha.. 00789 ; 51 d9 ab 41 4c 62 78 77 67 48 c1 22 70 a0 b6 9f Q..ALbxwgH."p... 00805 ; ce 58 f2 bc 3a 68 e2 50 e1 fb bd d8 46 01 f0 c7 .X..:h.P....F... 00821 ; 7a 22 2e 7b 06 fb 59 75 50 de 8a 44 d6 b0 c6 16 z".{..YuP..D.... 00837 ; e6 11 2a ce 5c 1b fc 26 76 34 d7 33 94 23 b5 d5 ..*.\..&v4.3.#.. 00853 ; 5e 0a 60 bd b7 ce a0 ^.`.... 00860 ; d7 82 a7 cd <1> PRIVATE 23, 42957 octets = error: pre-mature EOF decoding definite length value -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
