RE: SSL_get_error() crash (shortened)

[Jahn, Gerhard]

Hello,

We're using OpenSSl 1.1.1b on WIN64 and are facing a (rare but strange) 
core-dump when doing the following:

After successful TLS1.3 handshake we're calling SSL_read() to get the first 2 
Bytes of PDU data from the new connection (ASN.1 TAG + length).
SSL_read() returns 0
According to OpenSSL 1.1.1 documentation:

For SSL_read() and SSL_peek() the following return values can occur:
<= 0

  The read operation was not successful, because either the connection was 
closed, an error occurred or action must be taken by the calling process. Call 
SSL_get_error(3) 
with the return value ret to find out the reason.

We follow and call SSL_get_error() which crashes with debugger output (only 
topmost frame is shown here)

LIBSSL!SSL_get_error(struct ssl_st * s = 0x`05be9a00, int i = )+0x18c [d:\data\openssl\64\openssl-1.1.1b\ssl\ssl_lib.c @ 
3560]

The OpenSSL source at this reported line looks like:

   if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
return SSL_ERROR_ZERO_RETURN;

when we inspect the session "s" in the debugger, we find that s->shutdown == 3 
and s->s3 == NULL which finally causes the crash

It looks like a bug in OpenSSL???

So far it happened only once in our LAB (after some hours of heavy SSL load 
testing with thousands of SSL connections created/deleted)
we're currently not able to reproduce it.
Any comments/ideas/fixes would be appreciated..



Gerhard Jahn
Senior Developer IAM - AITs GER BDS CySP DIRX PDM
T +49 (0) 211 399 33276
T +49 (0) 211 399 22891
gerhard.j...@atos.net
Atos Information Technology GmbH
Otto-Hahn-Ring 6
81739 Munich, Germany
atos.net/de
 << OLE Object: Picture (Device Independent Bitmap) >>


Atos Information Technology GmbH
Managing Directors: Ursula Morgenstern, Udo Littke; Chairman of the Supervisory 
Board: Eric Grall; Registered office: Munich; Commercial register of the local 
court of Munich, HRB 235509

Re: CSR with only public key

[Bharathi Prasad]

You are right. Cannot create a certificate with CSR containing only public
key.

Thanks for the explanation. 



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: CSR with only public key

[Walter H.]

Hey,

Try calculating the private Key from the public key ;-)
but this can last a little time you don't have;

Walter

On Thu, September 12, 2019 09:50, Bharathi Prasad wrote:
> Hi,
> I have the public key of the client but not the private key.
> ...
>
> Regards,
> Bharathi

Re: CSR with only public key

[Bharathi Prasad]

Hi,
Thanks for the prompt replies. I agree signature from private key should be
present in a CSR. However, as per RFC 2511, Proof Of Possession is optional
though it strongly recommends to have it. 

I was able to create the CSR with only public key. I was unintentionally
adding an extra line at the end while writing to a file. That is the reason
for the error. However, i have rectified it and now i am able to view the
CSR contents with openssl req command.

I am yet to check if I can get a valid certificate from my CA. But thanks
for the help.

Regards,
Bharathi




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: Openssl 1.0.2t build failed using Visual Studio

[Bin Ichiki]

The same build error is occurred by visual studio 2017 community edition.
Specified Configure options is VC-WIN64A and no-asm.

RE: Building OpenSSL

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Osman Zakir
> Sent: Thursday, September 12, 2019 13:45

> I tried enabling both MD2 and RC5

Your previous note said "RC5 or MD4". Are you talking about MD2 or MD4?

> but I got linker errors when trying to build:

How did you "enable" them? If you reconfigured, did you do a "make clean" 
afterward before trying to build?

> How do I know whether to enable RC5 or MD4, though?

That depends on the needs of your application(s).

> Which one do I enable?  Sorry if this is a stupid question.

Neither. Either. Both. (All, since there seems to be some MD2/MD4 confusion 
here.) It depends entirely on what you're building OpenSSL for. You haven't 
told us, so we have no way of answering your question.

Most people have no need for MD2, MD4, or RC5.

>  And what's "afalg" (in "test_afalf")?

AF_ALG is a Linux network address family for userland access to the kernel 
cryptography subystem. OpenSSL's afalg is (I believe) an engine (i.e. an 
OpenSSL plugin) that lets OpenSSL use AF_ALG for some cryptographic operations. 
It's similar in purpose to several of the other engines, such as capi 
(interface to Windows Crypto API) and pkcs11 (interface to crypto hardware 
supporting the PKCS#11 standard). If that doesn't answer your question, then 
you probably don't need to know about it.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

Re: Building OpenSSL

[Osman Zakir]

I tried enabling both MD2 and RC5 but I got linker errors when trying to build:

"
Creating library apps\openssl.lib and object apps\openssl.exp
speed.obj : error LNK2019: unresolved external symbol EVP_md2 referenced in 
function EVP_Digest_MD2_loop​
speed.obj : error LNK2019: unresolved external symbol MD2_options referenced in 
function speed_main​
version.obj : error LNK2001: unresolved external symbol MD2_options​
speed.obj : error LNK2019: unresolved external symbol RC5_32_set_key referenced 
in function speed_main​
speed.obj : error LNK2019: unresolved external symbol RC5_32_cbc_encrypt 
referenced in function speed_main​
apps\openssl.exe : fatal error LNK1120: 4 unresolved externals​
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Community\VC\Tools\MSVC\14.22.27905\bin\HostX64\x64\link.EXE"' : 
return code '0x460'​
Stop.​
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Community\VC\Tools\MSVC\14.22.27905\bin\HostX64\x64\nmake.exe"' : 
return code '0x2'​
Stop.
"

Any help would be appreciated.  Thanks in advance.

From: openssl-users  on behalf of Osman 
Zakir 
Sent: Thursday, September 12, 2019 9:39 PM
To: openssl-users@openssl.org 
Subject: Re: Building OpenSSL

Okay, I was able to build it and am running the tests now.

How do I know whether to enable RC5 or MD4, though?  Which one do I enable?  
Sorry if this is a stupid question.  And what's "afalg" (in "test_afalf")?

Re: Building OpenSSL

[Osman Zakir]

Okay, I was able to build it and am running the tests now.

How do I know whether to enable RC5 or MD4, though?  Which one do I enable?  
Sorry if this is a stupid question.  And what's "afalg" (in "test_afalf")?

Re: Openssl 1.0.2t build failed using Visual Studio

[Matt Caswell]

On 12/09/2019 10:29, Fabrice Manfroi wrote:
> Hello,
> 
> Trying to build the last 1.0.2t on Windows with Visual Studio 2010, I
> get the following build error:
> 
> ===
> 
> LIBEAY32.def : error LNK2001: unresolved external symbol OPENSSL_rdtsc
> 
> ===
> 
> If I remove the OPENSSL_rdtsc entry from the util/libeay.num file it
> works without any probleme.
> 
> Is it a error? Or do I miss something?

I don't get this with VS2013 (the oldest version I have) so it may be a Visual
Studio version specific problem.

OPENSSL_rdtsc is only relevant on some platforms, and isn't present on others
which is why this problem occurs. Perhaps later Visual Studio versions are more
tolerant of this? Removing the entry from util/libeay.num is fine as a
workaround for now, and won't cause any adverse impacts.

Matt

Re: Typo in crypto/threads_none.c source file

[Matt Caswell]

On 12/09/2019 16:35, Fabrice Manfroi wrote:
> Hello,
> 
> During a Windows build of the 1.1.1d version I found a typo in the
> crypto/threads_none.c source file.

Hi

This was recently fixed in git. See commit c3656cc594daa.

Matt

Typo in crypto/threads_none.c source file

[Fabrice Manfroi]

Hello,

During a Windows build of the 1.1.1d version I found a typo in the
crypto/threads_none.c source file.

In attachment a small patch which fix the problem.

Best Regards.
diff --git a/lib-na-openssl/src/crypto/threads_none.c b/lib-na-openssl/src/crypto/threads_none.c
index aabf0e0dc..ae872 100644
--- a/lib-na-openssl/src/crypto/threads_none.c
+++ b/lib-na-openssl/src/crypto/threads_none.c
@@ -143,7 +143,7 @@ int openssl_get_fork_id(void)
 # if defined(OPENSSL_SYS_UNIX)
 return getpid();
 # else
-return return 0;
+return 0;
 # endif
 }
 #endif


signature.asc
Description: OpenPGP digital signature

Re: CSR with only public key

[Viktor Dukhovni]

On Thu, Sep 12, 2019 at 12:50:23AM -0700, Bharathi Prasad wrote:

> I have the public key of the client but not the private key. I am required
> to generate a CSR with only public key. I understand private key is required
> for Proof of Possession. However, as per my requirement I am supposed to
> create CSR only with public key and my CA would create a certificate. 
> 
> I was able to create a CSR with CX509CertificateRequestCertificate and
> CX509Enrollment classes using the available public key. When I try to read
> the contents the of CSR in openssl (i used this command: openssl req -in
> client.csr -noout -text) i get "unable to load X509 request". 
> 
> Is this happening because the CSR does not contain the signature of private
> key or the CSR is faulty.

The input is not a valid PEM-encoded CSR.  Perhaps it is
DER encoded.  To test:

openssl req -inform DER -in client.csr -text

--
Viktor.

Re: CSR with only public key

[Salz, Rich via openssl-users]

>I used CX509CertificateRequestCertificate  class to create CSR with only
public key. 

  
Those functions/classes/names/whatever are not part of OpenSSL.

The OpenSSL "req" command cannot process as CSR unless it is signed by the 
private key.  If you have a requirement to sign a CSR with the public key, then 
probably other things within OpenSSL will not be able to handle it.
 

Re: CSR with only public key

[Kyle Hamilton]

If a CA signs a certificate without proof of possession of the private key,
the CA is enabling whoever does have that private key to look as though
they are the one who they sign the certificate for (i.e., impersonation).
The entire structure of PKI (the binding of the public half of a keypair to
some external identity) depends on this not happening.

More importantly, in the situation where the person submitting the unsigned
request can't prove possession, they know it is a situation where either
the private key is lost (and the certificate would be useless anyway) or
that impersonation is simply guaranteed.

There might be a scenario desired where the generation of the CSR isn't
done by the holder of the private key internal to a company (perhaps
because the holder of the private key is otherwise extremely busy), but
because there's no way to tell if that limited scenario is different from
the other scenarios based on available evidence, publicly trusted CAs are
required (by rules of the CABF) to reject non-proof-of-possession scenarios
entirely.

To answer your question, yes the error is because the request wasn't signed
with the private key.  As such, it's not a complete request, and doesn't
match the expected ASN.1 structure.

-Kyle H


On Thu, Sep 12, 2019, 02:47 Bharathi Prasad 
wrote:

> Hi,
> I have the public key of the client but not the private key. I am required
> to generate a CSR with only public key. I understand private key is
> required
> for Proof of Possession. However, as per my requirement I am supposed to
> create CSR only with public key and my CA would create a certificate.
>
> I was able to create a CSR with CX509CertificateRequestCertificate and
> CX509Enrollment classes using the available public key. When I try to read
> the contents the of CSR in openssl (i used this command: openssl req -in
> client.csr -noout -text) i get "unable to load X509 request".
>
> Is this happening because the CSR does not contain the signature of private
> key or the CSR is faulty.
>
> Kindly help me.
>
> Regards,
> Bharathi
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>

Building OpenSSL

[Osman Zakir]

I want to build OpenSSL for an x64 Windows 10 OS.  I tried to configure it on 
the Developer Command Prompt for VS 2019 by running "perl Configure VC-WIN64A", 
but it gave me this error:

"
Can't locate Win32/Console.pm in @INC (you may need to install the 
Win32::Console module) (@INC contains: C:/openssl-1.1.1d/util/perl 
C:/Perl64/site/lib C:/Perl64/lib) at C:/Perl64/site/lib/ActivePerl/Config.pm 
line 400.
Compilation failed in require at C:/Perl64/site/lib/ExtUtils/MakeMaker.pm line 
9.​
BEGIN failed--compilation aborted at C:/Perl64/site/lib/ExtUtils/MakeMaker.pm 
line 9.​
Compilation failed in require at C:/Perl64/site/lib/IPC/Cmd.pm line 235.
"

2 questions:

  1.
 How can I get Win32/Console.pm and Win32::Console?
  2.
 What does the "A" mean in "Win64A", and what happens if I put "Win64I" instead?

Thanks in advance.

Re: AW: Test failed with openssl-1.1.1d ../test/recipes/20-test_enc.t

[Richard Levitte]

On Thu, 12 Sep 2019 10:31:51 +0200,
Dr. Matthias St. Pierre wrote:
> 
> > > I think this is a problem with the 20-test_enc.t Test and not with 
> > > OPENSSL.
> > >
> > > Can you please help me to fix the Test ?
> > >
> > 
> > Did you enable zlib by any chance? If so it could be this:
> > 
> > https://github.com/openssl/openssl/issues/9866
> > 
> > No resolution as yet.
> > 
> > Matt
> 
> 
> If you need a quick workaround, you have two options:
> 
> - Don't use the 'zlib' option when configuring OpenSSL
> 
> - Revert the offending commit 8be96f2369. It is dispensible, because it only 
> fixes
>   a 'cosmetical' problem, namely that in certain situations you have to press
>   CTRL-D in the console more often than expected in order to indicate EOF to 
> the
>   openssl application.
> 
>
> https://github.com/openssl/openssl/commit/8be96f236969caabf303bec389a2f812b4869c1c

Reverting the "offending commit" is a bad idea, because the code it
corrected was obviously hiding bugs, which would hit others who treat
BIO filters correctly (i.e. actually check if there's any pending
input or output).

Simply put, the zlib BIO filter doesn't behave correctly in this
regard.  Corrective PR here: https://github.com/openssl/openssl/pull/9876

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/

Openssl 1.0.2t build failed using Visual Studio

[Fabrice Manfroi]

Hello,

Trying to build the last 1.0.2t on Windows with Visual Studio 2010, I
get the following build error:

===

LIBEAY32.def : error LNK2001: unresolved external symbol OPENSSL_rdtsc

===

If I remove the OPENSSL_rdtsc entry from the util/libeay.num file it
works without any probleme.

Is it a error? Or do I miss something?

Best Regards.





signature.asc
Description: OpenPGP digital signature

R: CSR with only public key

[Francesco Petruzzi]

Yes Paul, you are right. Real CA must never accept CSR without verifying the 
signature.

Francesco Petruzzi

Information Security Manager
Innovery SpA
Via Farini, 81 – 20159 Milano
Cell. +39 320 170 4978

Da: Paul Yang [mailto:kaishen...@alipay.com]
Inviato: giovedì 12 settembre 2019 10:46
A: Francesco Petruzzi
Cc: openssl-users@openssl.org
Oggetto: Re: CSR with only public key

Dare any CA proceed to sign a CSR without verifying the signature…

Maybe there are scenarios we are not aware about...


On Sep 12, 2019, at 4:41 PM, Francesco Petruzzi 
mailto:francesco.petru...@innovery.net>> wrote:

Sign request with a fake private key and hope the client do not require 
signature verification.

Regards
Francesco Petruzzi

Da: openssl-users [mailto:openssl-users-boun...@openssl.org] Per conto di Paul 
Yang via openssl-users
Inviato: giovedì 12 settembre 2019 09:51
A: Bharathi Prasad
Cc: Openssl Users
Oggetto: Re: CSR with only public key

How could you create the CSR with only public key?

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad 
mailto:barati.j.pra...@gmail.com>> wrote:

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


Regards,

Paul Yang


Regards,

Paul Yang

Re: CSR with only public key

[Paul Yang via openssl-users]

Dare any CA proceed to sign a CSR without verifying the signature…

Maybe there are scenarios we are not aware about...

> On Sep 12, 2019, at 4:41 PM, Francesco Petruzzi 
>  wrote:
> 
> Sign request with a fake private key and hope the client do not require 
> signature verification.
> 
> Regards
> Francesco Petruzzi
> 
> Da: openssl-users [mailto:openssl-users-boun...@openssl.org 
> ] Per conto di Paul Yang via 
> openssl-users
> Inviato: giovedì 12 settembre 2019 09:51
> A: Bharathi Prasad
> Cc: Openssl Users
> Oggetto: Re: CSR with only public key
> 
> How could you create the CSR with only public key?
> 
> 
> On Sep 12, 2019, at 3:50 PM, Bharathi Prasad  > wrote:
> 
> Hi,
> I have the public key of the client but not the private key. I am required
> to generate a CSR with only public key. I understand private key is required
> for Proof of Possession. However, as per my requirement I am supposed to
> create CSR only with public key and my CA would create a certificate.
> 
> I was able to create a CSR with CX509CertificateRequestCertificate and
> CX509Enrollment classes using the available public key. When I try to read
> the contents the of CSR in openssl (i used this command: openssl req -in
> client.csr -noout -text) i get "unable to load X509 request".
> 
> Is this happening because the CSR does not contain the signature of private
> key or the CSR is faulty.
> 
> Kindly help me.
> 
> Regards,
> Bharathi
> 
> 
> 
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html 
> 
> 
> 
> Regards,
> 
> Paul Yang


Regards,

Paul Yang



signature.asc
Description: Message signed with OpenPGP

R: CSR with only public key

[Francesco Petruzzi]

Sign request with a fake private key and hope the client do not require 
signature verification.

Regards
Francesco Petruzzi

Da: openssl-users [mailto:openssl-users-boun...@openssl.org] Per conto di Paul 
Yang via openssl-users
Inviato: giovedì 12 settembre 2019 09:51
A: Bharathi Prasad
Cc: Openssl Users
Oggetto: Re: CSR with only public key

How could you create the CSR with only public key?

On Sep 12, 2019, at 3:50 PM, Bharathi Prasad 
mailto:barati.j.pra...@gmail.com>> wrote:

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate.

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request".

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


Regards,

Paul Yang

AW: Test failed with openssl-1.1.1d ../test/recipes/20-test_enc.t

[Dr. Matthias St. Pierre]

> > I think this is a problem with the 20-test_enc.t Test and not with OPENSSL.
> >
> > Can you please help me to fix the Test ?
> >
> 
> Did you enable zlib by any chance? If so it could be this:
> 
> https://github.com/openssl/openssl/issues/9866
> 
> No resolution as yet.
> 
> Matt


If you need a quick workaround, you have two options:

- Don't use the 'zlib' option when configuring OpenSSL

- Revert the offending commit 8be96f2369. It is dispensible, because it only 
fixes
  a 'cosmetical' problem, namely that in certain situations you have to press
  CTRL-D in the console more often than expected in order to indicate EOF to the
  openssl application.

   
https://github.com/openssl/openssl/commit/8be96f236969caabf303bec389a2f812b4869c1c

HTH,
Matthias

Re: Test failed with openssl-1.1.1d ../test/recipes/20-test_enc.t

[Matt Caswell]

On 12/09/2019 08:58, zahn wrote:
> Hello
> 
> After building openssl-1.1.1d I run a Test and it failed:
> 
> ../test/recipes/20-test_enc.t .. Dubious, test returned 1
> (wstat 256, 0x100)
> 
> Test Summary Report
> ---
> ../test/recipes/20-test_enc.t    (Wstat: 256 Tests: 172 
> Failed: 1)
>   Failed test:  171
>   Non-zero exit status: 1
> Files=155, Tests=1457, 428 wallclock secs ( 8.43 usr  0.39 sys + 375.17 cusr
> 48.13 csys = 432.12 CPU)
> Result: FAIL
> make[1]: *** [_tests] Error 1
> make[1]: Leaving directory `/u01/download/tmp/openssl-1.1.1d'
> make: *** [tests] Error 2
> 
> I think this is a problem with the 20-test_enc.t Test and not with OPENSSL.
> 
> Can you please help me to fix the Test ?
> 

Did you enable zlib by any chance? If so it could be this:

https://github.com/openssl/openssl/issues/9866

No resolution as yet.

Matt

Test failed with openssl-1.1.1d ../test/recipes/20-test_enc.t

[zahn]

Hello

After building openssl-1.1.1d I run a Test and it failed:

../test/recipes/20-test_enc.t .. Dubious, test 
returned 1 (wstat 256, 0x100)


Test Summary Report
---
../test/recipes/20-test_enc.t    (Wstat: 256 Tests: 172 
Failed: 1)

  Failed test:  171
  Non-zero exit status: 1
Files=155, Tests=1457, 428 wallclock secs ( 8.43 usr  0.39 sys + 375.17 
cusr 48.13 csys = 432.12 CPU)

Result: FAIL
make[1]: *** [_tests] Error 1
make[1]: Leaving directory `/u01/download/tmp/openssl-1.1.1d'
make: *** [tests] Error 2

I think this is a problem with the 20-test_enc.t Test and not with OPENSSL.

Can you please help me to fix the Test ?

--

Schöne Grüsse aus Oberdiessbach Martin Zahn

Akadia AG
Martin Zahn
Software Ing. HTL
Oracle Certificate Professional
Information Technology
Fichtenweg 10
CH-3672 Oberdiessbach

Tel: +41 79 410 27 87
Web: www.akadia.com
E-Mail: martin.z...@akadia.com

Re: CSR with only public key

[Bharathi Prasad]

I used CX509CertificateRequestCertificate  class to create CSR with only
public key. 



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: CSR with only public key

[Paul Yang via openssl-users]

How could you create the CSR with only public key?

> On Sep 12, 2019, at 3:50 PM, Bharathi Prasad  
> wrote:
> 
> Hi,
> I have the public key of the client but not the private key. I am required
> to generate a CSR with only public key. I understand private key is required
> for Proof of Possession. However, as per my requirement I am supposed to
> create CSR only with public key and my CA would create a certificate.
> 
> I was able to create a CSR with CX509CertificateRequestCertificate and
> CX509Enrollment classes using the available public key. When I try to read
> the contents the of CSR in openssl (i used this command: openssl req -in
> client.csr -noout -text) i get "unable to load X509 request".
> 
> Is this happening because the CSR does not contain the signature of private
> key or the CSR is faulty.
> 
> Kindly help me.
> 
> Regards,
> Bharathi
> 
> 
> 
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html


Regards,

Paul Yang



signature.asc
Description: Message signed with OpenPGP

CSR with only public key

[Bharathi Prasad]

Hi,
I have the public key of the client but not the private key. I am required
to generate a CSR with only public key. I understand private key is required
for Proof of Possession. However, as per my requirement I am supposed to
create CSR only with public key and my CA would create a certificate. 

I was able to create a CSR with CX509CertificateRequestCertificate and
CX509Enrollment classes using the available public key. When I try to read
the contents the of CSR in openssl (i used this command: openssl req -in
client.csr -noout -text) i get "unable to load X509 request". 

Is this happening because the CSR does not contain the signature of private
key or the CSR is faulty.

Kindly help me.

Regards,
Bharathi



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html