<div dir="ltr"><div><div>Hi folks,<br><br></div>I'm hitting some issues when trying to create SSL certificates and was wondering if any around could help with this.<br></div><div>I can create a CSR and sign it with a newly created key:</div><div><br></div><div><font size="1"><span style="font-family:monospace,monospace">  $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key<br>  Generating a 2048 bit RSA private key<br>  ........................................+++<br>  .....+++<br>  writing new private key to 'privateKey.key'<br>  -----<br></span></font></div><div><font size="1"><span style="font-family:monospace,monospace">  (enter CSR data)</span></font></div><div><font size="1"><span style="font-family:monospace,monospace">  ...<br></span></font></div><div><font size="1"><span style="font-family:monospace,monospace"><br></span><font size="2"><span style="font-family:arial,helvetica,sans-serif">But just after CSR creation, its verification fails:</span></font></font></div><div><font size="1"><span style="font-family:monospace,monospace"><br></span></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  $ openssl req -text -noout -verify -in CSR.csr<br>  verify failure<br>  139886616864656:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:<br>  139886616864656:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:<br>  139886616864656:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:<br>  Certificate Request:<br>      Data:<br>          Version: 0 (0x0)<br>          Subject: C=ES, L=Default City, O=Default Company Ltd</span></font><br>  ...<br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif">At this point, if I try to create a certificate from the CSR, it creates an empty certificate.<br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif">Private key check returns ok:<br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><br></span></font></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  $ openssl rsa -in privateKey.key -check<br>  RSA key ok<br>  writing RSA key<br>  -----BEGIN RSA PRIVATE KEY-----</span></font></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  ...</span></font></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  -----END RSA PRIVATE KEY-----<br></span></font></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></font></div>The public key can be read from the CSR:<br><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><br></span></font></font></div><div><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  </span></font></span></font></font>$ openssl req -in CSR.csr -noout -pubkey<br></span></font></span></font></font><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  </span></font></span></font></font>-----BEGIN PUBLIC KEY-----<br></span></font></span></font></font><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  ...</span></font></span></font></font></span></font></span></font></font><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><br></span></font></span></font></font><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace"><font size="1"><font size="2"><span style="font-family:arial,helvetica,sans-serif"><font size="1"><span style="font-family:monospace,monospace">  </span></font></span></font></font>-----END PUBLIC KEY-----</span></font><br><br></span></font></font></div><div><font size="2"><span style="font-family:arial,helvetica,sans-serif"></span></font></div><div><font size="2"><span style="font-family:arial,helvetica,sans-serif">I am working on a RHEL machine, with this openssl version:</span></font></div><div><font size="2"><span style="font-family:arial,helvetica,sans-serif"></span></font><br><font size="1"><span style="font-family:monospace,monospace"></span></font></div><div><font size="1"><span style="font-family:monospace,monospace">  $ rpm -qa | grep openssl                                           <br>  openssl-libs-1.0.2k-12.el7.x86_64<br>  openssl-1.0.2k-12.el7.x86_64</span></font><br></div><div><br></div><div>Don't know if could be related to a missing library, and have tried to find out the root cause of the issue in internet and mailing lists but didn't get to it.</div><div><br></div><div>Any help would be very much appreciated.</div><div><br></div><div><br></div><div>Thanks!</div><div>Jon<br></div><br></div>