On Wed, Jul 28, 2010, Wim Lewis wrote:
>
> On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote:
> > It's obviously asking for just a subset of what would typically go into a
> > CSR. I tried generating several different CSR's with OpenSSL, containing
> > various information (and then converting the files to Mac line endings),
> > but the instructions seem to be right. Only the CSR I made on a friend's
> > Mac was accepted. [...] It's also possible that I just missed the right
> > combination, and trying again will make a CSR that works.
>
> Well, I haven't tried submitting an OpenSSL-generated CSR to Apple, but the
> CertificateAssistant-generated CSR looks pretty normal. I have a vague memory
> that Apple's fussy about the key type; are you using a 2048-bit RSA key?
>
> I ran asn1parse on a successfully-submitted-to-Apple CSR and I see this
> structure:
>
> [
> version = v1
> subject = { emailAddress = IA5STRING, commonName = UTF8STRING, countryName
> = PRINTABLESTRING }
> subjectPKInfo = [ [ rsaEncryption, NULL ], the usual key parameters,
> e=65537, m ~ 2^2048 ]
> attributes = empty sequence
> ]
>
> signed using sha1WithRSAEncryption.
>
>
> > I don't like mysteries, and don't being locked into one platform.
>
> Understandable, though I think that once you're using Apple's notification
> service for your iPhones, the way you generate your X.509 key is the least of
> your lockin worries. :)
>
>
Try the utf8only option for the mask if it doesn't include UTF8Strings
already.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
