[Openca-Users] openssl syntax for multi-valued RDNs is unknown from cisco router unstructuredName
Error 700 (General Error The compilation of the command cmdIssueCertificate failed. openssl syntax for multi-valued RDNs is unknown at /usr/lib/perl5/vendor_perl/5.8.7/X500/DN.pm line 104). Hello, when I want to create the certificate in the CA (Issue Button), I get the error message above. I think the reason can be found in the request from the cisco that send only this: - serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 Role=Web Server Modulus (key size) 512 Public Key AlgorithmrsaEncryption Public Key Modulus (512 bit): 00:b6:0a:f3:09:3f:49:39:5a:83:42:d0:. Exponent: 65537 (0x10001) Signature Algorithm md5WithRSAEncryption - Are there some people, know what I have to do when I receive the request from cisco ? In RA I can EDIT this data in the request, before I make a export to CA and then import to CA. I found that the Error Message comes from the X500 Module. I think the modul do not know what the cisco request would send to the openssl interface. But what must be change ? In the cisco request I can only say with or without IP address and with or without serial number (crypto ca enroll XXX). In IOS 12.2(17) you can not give Subject (CN,OU,O,..) or Email or so. I think in the formular RA: Edit the request I have do change and/or add some things ? With this data, serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 can I not ISSUE the certificate on the CA. --- An other question: Why put the cisco router 2 requests over scep into the RA Interface ? --- Regards Herbert -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openssl syntax for multi-valued RDNs is unknown from cisco router unstructuredName
Zitat von [EMAIL PROTECTED]: I think the reason can be found in the request from the cisco that send only this: - serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 Role=Web Server Modulus (key size) 512 Public Key AlgorithmrsaEncryption Public Key Modulus (512 bit): 00:b6:0a:f3:09:3f:49:39:5a:83:42:d0:. Exponent: 65537 (0x10001) Signature Algorithm md5WithRSAEncryption - Are there some people, know what I have to do when I receive the request from cisco ? In RA I can EDIT this data in the request, before I make a export to CA and then import to CA. Well, the solution is quite simple in this case. (there are some e-mails adressing this already at the list, but i have just access through an webfrontend at the moment, so searching is a bit painful, I will try to recover from my memories instead) If you edit the request at the RA or CA you will see the request in a form like: cn: type - value : type - value in one row you should rewrite the whole cn part an put everything in the 'first' column of the form and delete the 'second' column informations in the request (unfortunalty i don't have a picture right now, i hope you get the idea ;) sometimes it is necessary to add some SAN informations (Subject Alternative Names) usally cisco wants them if you request additation the ip or fqdn in the certificate. that means add san named: unstructuredName for the fqdn to the san and one unstructuredAddress with the ip as value in such cases should help. --- An other question: Why put the cisco router 2 requests over scep into the RA Interface ? --- this has to do with key-types. if you request a general purpose key you get one request, if you request separate for signing and encryption the cisco device will generate two different key-pairs. one for signing stuff and one for encryption usage and therefore two requests. to support this, you may have to add/change the available 'roles' in openca and write appropriate usage type like only for encryption or only for signing in the x509 certs. this is found under openssl/extfiles if i'm right. but there should be some extra information about that in the documentation already, how to change/create new roles. greetings dalini --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users