Re: Unrecognized certificate request generated by Cisco 2501

Thu, 6 May 1999 16:49:43 -0700 

John Wehle wrote:
> 
> > John Wehle wrote:
> > >
> > > The Cisco 2501 generates the enclosed ASN1 data stream when asked
> > > to generated a certificate request.  How do I certify it?  It
> > > doesn't seem to be recognized as a request by openssl.
> > >
> > > $ openssl req -inform der < cert_req.27281
> > > Using configuration from /usr/local/ssl/lib/openssl.cnf
> > > unable to load X509 request
> > [Unusual ASN1 dump deleted]
> >
> > Interesting. It isn't a simple certificate request and the ASN1 dump
> > doesn't give enough info to help, its *something* wrapped in a PKCS#7
> > signed-data structure but I can't tell what without doing some extra
> > tests. Can you send me the file so I can analyse it?
> 
> Here's the file.
> 

More interesting. It looks like a CSR but its broken somewhat. Since
there are several forms for the CSR I needed to check the file to be
sure.

These things can have a PKCS#10 request variant and some other data
inside a PKCS#7 wrapper. The wrapper can be either PKCS#7 signed data or
PKCS#7 signed data enclosing PKCS#7 enveloped data with the request
itself encrypted.

Unfortunately in your case the request itself is encrypted using DES and
can only be read by the CA it is intended for. You can see this inner
structure by using -strparse 51 with asn1parse. It is encrypted using a
certificate issued by "Feith Systems and Software, Inc."

It is possible that you can get at the public key from the outer signed
data using:

openssl pkcs7 -inform DER -in req -print_certs

You might then be able to use this in an evil hack to get the right
public key in a certificate. However it is quite likely that, unless you
can get it to accept another CA, that it will reject any attempt install
a certificate from a CA it doesn't approve of.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to