Ever tried using openssl on linux to sign a certificate created by the windows wizard?
bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
14931:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST
bash$
Dog gamn it! I think, what the fuck. The CSR seems okay:
bash$ cat brew.xxx.com.br.csr
---BEGIN NEW CERTIFICATE REQUEST-----
(... bunch of encoded, standard stuff)
-----END NEW CERTIFICATE REQUEST-----
Hmm. Let's try again. Maybe openssl didn't get it right the first time:
bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
14931:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST
Shit, man. Let's check an openssl generated CSR:
$ diff brew.xxx.com.br.csr intranet.csr
1,2c1,2
< ---BEGIN NEW CERTIFICATE REQUEST----- <> -----BEGIN CERTIFICATE REQUEST-----
> MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5SaW8gZGUgSmFu
4,22c4,18
Whoa! it seems that CSRs created on windows have "NEW" on the header. That's good, because I could wind up signing the "OLD" certificate request.
bash$ sed "s/NEW //g" brew.xxx.com.br.csr > brew.xxx.com.br.csr2
bash$ openssl x509 -days 900 -CAserial ca.serial -CA ca.crt -CAkey ca.key -in brew.xxx.com.br.csr -req -out brew.xxx.com.br.crt
Signature ok
subject=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=nXXX Ltda/OU=Operacoes/CN=brew.xxx.com.br
Getting CA Private Key
So, lesson of the day: if you are trying to sign a certificate request created on windows using openssl, be sure to strip off the "NEW" from the header. Works ok!
Thursday, 28 October 2004
Subscribe to:
Post Comments (Atom)
1 comment:
One more thing to add. You will have to strip carriage returns from the request. Replace all instances of "\r\n" with "\n"
Post a Comment