Re: [openssl-users] CSR verify failure

Hey all, Thanks a lot for your comments, they helped me to realize that I was configuring/doing something wrong. I was hitting the CSR creation issues on a virtual machine, and the source of the wrong signature seems to be related to the virtualization type I was using. When using qemu the issue

Re: [openssl-users] CSR verify failure

Yeah, it looks like the signature is just wrong. Even setting aside the question of padding, I used rsautl -verify -raw on the signature using the CSR's public key, and I would expect to see a pair of sequence tags (0x30) with sensible lengths somewhere inside, and I don't. hulk:/tmp $

Re: [openssl-users] CSR verify failure

On Mon, Mar 26, 2018 at 6:15 PM, Felipe Gasper wrote: > I see the same errors with 1.0.2n. > > Going by posts I see out-and-about about this error, there seem to be two > possibilities: > > 1) There’s an RSA padding scheme mismatch. Maybe your openssl.cnf has > something

Re: [openssl-users] CSR verify failure

OK, I see the verify error with the CSR you sent, so it's an issue with creating the CSR, not with verifying it. Beyond that I don't see the issue, but I'd have to debug it (or decrypt the signature manually) to see what exactly the problem is. OpenSSL is complaining that it expects the

Re: [openssl-users] CSR verify failure

I see the same errors with 1.0.2n. Going by posts I see out-and-about about this error, there seem to be two possibilities: 1) There’s an RSA padding scheme mismatch. Maybe your openssl.cnf has something nonstandard, e.g., raw padding rather than PKCS1? 2) The signature is simply incorrect.

Re: [openssl-users] CSR verify failure

Sure, here it is: $ cat CSR.csr -BEGIN CERTIFICATE REQUEST- MIIChzCCAW8CAQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0 eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAOJuhJcO1eqtGE8Yc7P4cSgSwlwyuAe8AYzseGCqwAEY

Re: [openssl-users] CSR verify failure

But what is the actual PEM of the CSR? It should look like: -BEGIN CERTIFICATE REQUEST- ... -END CERTIFICATE REQUEST- -FG > On Mar 26, 2018, at 11:47 AM, Jon Uriarte wrote: > > Thanks for your replies. > > I'm creating the CSR with the default values. >

Re: [openssl-users] CSR verify failure

Thanks for your replies. I'm creating the CSR with the default values. $ openssl req -noout -text -in CSR.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=XX, L=Default City, O=Default Company Ltd Subject Public Key Info: Public Key Algorithm:

Re: [openssl-users] CSR verify failure

I just tried the same commands on my system, using 1.0.2n, and didn't have any problems (as I'd expect). What's the output of openssl asn1parse -dump -in CSR.csr? -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] CSR verify failure

Can you paste one of the CSRs that fails verification? -Felipe > On Mar 26, 2018, at 11:19 AM, Jon Uriarte wrote: > > Hi folks, > > I'm hitting some issues when trying to create SSL certificates and was > wondering if any around could help with this. > I can create a CSR

[openssl-users] CSR verify failure

Hi folks, I'm hitting some issues when trying to create SSL certificates and was wondering if any around could help with this. I can create a CSR and sign it with a newly created key: $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key Generating a 2048 bit RSA