Merton Campbell Crockett wrote:
>
> Originally, I had sent this to the modssl-users list but this might be a
> more appropriate list as it deals more with the SSL utilitites that are used
> to generate CSRs.
>
> ---------- Forwarded message ----------
> Date: Sat, 29 Jan 2000 19:35:05 -0800 (PST)
> From: Merton Campbell Crockett <[EMAIL PROTECTED]>
> To: mod_SSL Users List <[EMAIL PROTECTED]>
> Subject: Generating CSR for Netscape Certificate Server based CA
>
> I need to create a Certificate Signing Request for the DoD Certificate
> Authority. DoD uses a Netscape Certificate Server to manage and sign its
> certificates.
>
> To date, I have not been able to generate a CSR that is acceptable to the
> Netscape Certificate Server. All requests are rejected with a "bad DER
> encoding" error. While this may be an accurate error, I am beginning to
> suspect that the problem may be a field that is required by the Netscape
> Certificate Server but that is optional or not used by a commercial third-
> party Certificate Authority, e.g. VeriSign, Thawte, CyberTrust, etc.
>
There are two common causes. One is that you need to change the PEM
encoding to say BEGIN NEW CERTIFICATE and END NEW CERTIFICATE etc.
Another possible problem is the use of extra attributes like
challengePassword: this incorrectly included the trailing null in all
released versions of OpenSSL and SSLeay: this is fixed in the latest
snapshot.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
