[openssl-users] CSR verify failure

[Jon Uriarte]

Hi folks,

I'm hitting some issues when trying to create SSL certificates and was
wondering if any around could help with this.
I can create a CSR and sign it with a newly created key:

  $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout
privateKey.key
  Generating a 2048 bit RSA private key
  ........................................+++
  .....+++
  writing new private key to 'privateKey.key'
  -----
  (enter CSR data)
  ...

But just after CSR creation, its verification fails:

  $ openssl req -text -noout -verify -in CSR.csr
  verify failure
  139886616864656:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
  139886616864656:error:04067072:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
  139886616864656:error:0D0C5006:asn1 encoding
routines:ASN1_item_verify:EVP lib:a_verify.c:249:
  Certificate Request:
      Data:
          Version: 0 (0x0)
          Subject: C=ES, L=Default City, O=Default Company Ltd
  ...

At this point, if I try to create a certificate from the CSR, it creates an
empty certificate.

Private key check returns ok:

  $ openssl rsa -in privateKey.key -check
  RSA key ok
  writing RSA key
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----

The public key can be read from the CSR:

  $ openssl req -in CSR.csr -noout -pubkey
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

I am working on a RHEL machine, with this openssl version:

  $ rpm -qa | grep openssl
  openssl-libs-1.0.2k-12.el7.x86_64
  openssl-1.0.2k-12.el7.x86_64

Don't know if could be related to a missing library, and have tried to find
out the root cause of the issue in internet and mailing lists but didn't
get to it.

Any help would be very much appreciated.


Thanks!
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180326/3af3b06c/attachment.html>