Thursday, 28 October 2004

Standards standars standards

Ever tried using openssl on linux to sign a certificate created by the windows wizard?

bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
14931:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST
bash$

Dog gamn it! I think, what the fuck. The CSR seems okay:
bash$ cat brew.xxx.com.br.csr
---BEGIN NEW CERTIFICATE REQUEST-----
(... bunch of encoded, standard stuff)
-----END NEW CERTIFICATE REQUEST-----

Hmm. Let's try again. Maybe openssl didn't get it right the first time:

bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
14931:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST

Shit, man. Let's check an openssl generated CSR:

$ diff brew.xxx.com.br.csr intranet.csr
1,2c1,2
< ---BEGIN NEW CERTIFICATE REQUEST----- <> -----BEGIN CERTIFICATE REQUEST-----
> MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5SaW8gZGUgSmFu
4,22c4,18

Whoa! it seems that CSRs created on windows have "NEW" on the header. That's good, because I could wind up signing the "OLD" certificate request.

bash$ sed "s/NEW //g" brew.xxx.com.br.csr > brew.xxx.com.br.csr2
bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
Signature ok
subject=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=nXXX Ltda/OU=Operacoes/CN=brew.xxx.com.br
Getting CA Private Key

So, lesson of the day: if you are trying to sign a certificate request created on windows using openssl, be sure to strip off the "NEW" from the header. Works ok!