Can't seem to create a valid CSR

DannyBackx · December 25, 2019, 11:42am

Hi,
I’m having trouble inserting a valid CSR into a request (still trying to implement an ACME client, I’m almost at the last step).
The CSR that I create using mbedtls_x509write_csr_pem() doesn’t get accepted.
When I try the example programs, they also don’t appear to create a CSR with the right info. Example below.
What am I missing ?

Danny

acer: {51} ./cert_req filename=private_key-2.pem subject_name=dannybackx.hopto.org
  . Seeding the random number generator... ok
  . Checking subject name... ok
  . Loading the private key ... ok
  . Writing the certificate request ... ok
acer: {52} ./req_app

  . Loading the CSR ... failed
  !  mbedtls_x509_csr_parse_file returned -9184

acer: {53} ./cert_req filename=private_key-2.pem 
  . Seeding the random number generator... ok
  . Checking subject name... ok
  . Loading the private key ... ok
  . Writing the certificate request ... ok
acer: {54} ./req_app

  . Loading the CSR ... ok
  . CSR information    ...
      CSR version   : 1
      subject name  : CN=Cert, O=mbed TLS, C=UK
      signed using  : RSA with SHA-256
      RSA key size  : 2048 bits

acer: {55}

also :
acer: {60} ./cert_req filename=private_key-2.pem subject_name=dannybackx.hopto.org
. Seeding the random number generator… ok
. Checking subject name… ok
. Loading the private key … ok
. Writing the certificate request … ok
acer: {61} openssl req -in cert.req -verify -noout -subject
verify OK
subject=
acer: {62} ./cert_req filename=private_key-2.pem
. Seeding the random number generator… ok
. Checking subject name… ok
. Loading the private key … ok
. Writing the certificate request … ok
acer: {63} openssl req -in cert.req -verify -noout -subject
verify OK
subject=CN = Cert, O = mbed TLS, C = UK
acer: {64}

roneld01 · December 25, 2019, 12:35pm

Hi @DannyBackx
Thank you for your question!

Please note that the subject name that you are inserting for the cert_req is not a valid Distinguished Name. This is why you get the parsing error, as a valid subject name does not exist .(You can look at the generated CSR at an online ASN1 decoder such as https://lapo.it/asn1js/ )

You can also see that in your openssl CSR print, the subject is empty as well.

In order to fix this, the subject_name should be a valid DN, for example:

./cert_req filename=privateKey.key subject_name=O=dannybackx.hopto.org
  . Seeding the random number generator... ok
  . Checking subject name... ok
  . Loading the private key ... ok
  . Writing the certificate request ... ok

./req_app

  . Loading the CSR ... ok
  . CSR information    ...
      CSR version   : 1
      subject name  : O=dannybackx.hopto.org
      signed using  : RSA with SHA-256
      RSA key size  : 2048 bits

Regards,
Mbed TLS Support
Ron

roneld01 · December 25, 2019, 12:36pm

Note I have created CSR generation does not return an error when generating an invalid subject · Issue #2969 · Mbed-TLS/mbedtls · GitHub to track the issue the CSR generation didn’t fail on this invalid input

DannyBackx · December 25, 2019, 12:47pm

Thanks Ron,

Now local tests work, as you demonstrated.
Next problem : figure out why the server isn’t taking it

Merry Christmas,

Danny

I (13255) Acme: FinalizeOrder: PerformWebQuery → {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Request payload did not parse as JSON”,
“status”: 400
}

roneld01 · December 25, 2019, 12:58pm

HI Danny,
Merry Christmas!

Next problem : figure out why the server isn’t taking it

It seems that you are not generating the JSON structure correct for the server. A quick search online gave me this result.

Regards

DannyBackx · December 26, 2019, 8:46am

Thanks, but I made a clear mistake (I was sending PEM, not DER format for the CSR).
Still such an error though, and I don’t see obvious problems with my query.
But that’s for another forum
Thanks again.

Danny

I (9795) Acme: FinalizeOrder : msg {
“protected”: “eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMDAwMWJSZ2xCQUZlQ0tPckkyT1pyWi05WE9uVms0V2R1VkVscVZ6YzZYQzJmZDgiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvZmluYWxpemUvMTE2NDk2NTUvNjY3OTIxMzgiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTY0OTY1NSJ9”,
“payload”: “TUlJQ1pEQ0NBVXdDQVFBd0h6RWRNQnNHQTFVRUF4TVVaR0Z1Ym5saVlXTnJlQzVvYjNCMGJ5NXZjbWN3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREI0RVQwUmplWjRVWnliclEzTS02RVVlNWpPSE1HN1hXM09JdTE1aWxNT291VHAtcTk3ZHpmSWdQZWw2clhfWWxabVh5VEpSZnR5eEZVSnRnQnJHMldYZUNXWElHM0hNZHg5R1J2OXNNWUk1dTZuVVFwLUxqYlJHeHNmUFdVVjlNRHZPbnZfZlFDR1QxeFRDcTdTWUszMGZGUTBIV3ZsRklmaHAwbVp3S1R3N3k1OXBFVlM5TkpRMmltSmdRT092N2ZjOThvZEg5WXk0VzdSLWlpWWFONGFXWGFPNFlZNXRKU2ZDaElTVkN0OTc2MGZtNzBJVnNsc2J4bjhkMlR2UGtlZFlLSWQ2UVFzUldsN2hzMzh5ekVENUFQOVNpd2xSSHc1THJIX2xKTnNiZG5RdjZ0dkg5bGFPNmQxZzgyRkEyejN0cmVuMHUxREJiVENBNXhRNjlfQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbnJORVRMckpNMUVlMjlrQm9zUzNBRlA1dUdhN3plZWpXdTdVeFBsZE1nYnc2ajdoTjFjTHJYVmtqSmhpcHdDQjNDTkQtdFhnOF9nNzd2UG9EUE5YVFFIMEVqcWxSYUZqME9IaUZHTkN4cXJoVTU1TjZzc1RLMl9xYy1XZkYzVzlRaG5lN2wxN3daMS0ySkdKU1lqS2twXzZScmpIbGkxWnhuNVVodFVkWmJRYlFCMGlNc21lRFN1TjBxaVJCTWlJWHhJaWNzeDdHZXg3VURpdnAwVFdTdTF5R0FxeUZUWmI2QnJmVTh6cGt2Ull3YllRejRRUjJvN3ZhZzNsWkhPTHAtTUZ1eXd6Y0ozUTJkbFVNYlJYYXNOc0d6T1BZb1VCaEhDdjhDOW1pRG8yTXVFSGFwaFo0SG1jVFhHek11aUhOZlRVVWktRzE5TDlUSjNTRl9TTnBR”,
“signature”: “nEfAWKoYQwVRvvzx9aNt3SjbsCfliG9hgM3zMeXXYIuQ7xehKzmMbJ3vau47w61dCHFBdckJVnRTrxFBfCWK-QdxxFGaVuwzYNj6mf2RsxBRdCQWAVf-TgSKuWQ9Kv65ZDehhy4BbklAOUMHw4PM2R0mzFNrB4OQOKmgIpiDlyTgtS016CYgocN2FhaM-_EKFSv8mUoULg”
}
I (9935) Acme: PerformWebQuery: set_post_field length 1671
I (11125) FTP Server: 26-12-2019 08:19:01 : 220 LightFTP server v2.0a ready
I (11535) Acme: HttpEvent: header Server value nginx
I (11535) Acme: HttpEvent: header Date value Thu, 26 Dec 2019 07:19:02 GMT
I (11535) Acme: HttpEvent: header Content-Type value application/problem+json
I (11545) Acme: HttpEvent: header Content-Length value 107
I (11555) Acme: HttpEvent: header Connection value keep-alive
I (11555) Acme: HttpEvent: header Boulder-Requester value 11649655
I (11565) Acme: HttpEvent: header Cache-Control value public, max-age=0, no-cache
I (11575) Acme: HttpEvent: header Link value https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
I (11585) Acme: HttpEvent: header Replay-Nonce value 00025NerwYzXwK4_IwzoAigiK7mNdOuVY9ZkQMbaSWvaxqA
I (11595) Acme: FinalizeOrder: PerformWebQuery → {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “JWS verification error”,
“status”: 400
}
E (11605) Acme: FinalizeOrder: failure 400 urn:ietf:params:acme:error:malformed JWS verification error

DannyBackx · December 26, 2019, 8:49am

Thanks Ron,
I made a very simple mistake : was using PEM instead of DER as format for the CSR. ACME specs clearly state DER .

Danny

Topic		Replies	Views
How to generate a CSR from Private Key Crypto and SSL questions	9	4072	September 4, 2018
Generate CSR using Mbed TLS and Public Key Mbed TLS mbed_tls	0	335	October 22, 2021
mbedTLS - Sign an already done certificate request from device private key? Crypto and SSL questions mbed_tls	2	539	March 9, 2020
Error while loading the RSA private key file to generate CSR Mbed TLS mbed_tls	1	1315	October 2, 2018
Format a certificate with externally signed signature Generic	0	301	October 20, 2020

Can't seem to create a valid CSR

Related Topics