[openssl-users] CSR verify failure

Felipe Gasper felipe at felipegasper.com
Mon Mar 26 15:28:05 UTC 2018 

Can you paste one of the CSRs that fails verification?

-Felipe

> On Mar 26, 2018, at 11:19 AM, Jon Uriarte <juriarte at redhat.com> wrote:
> 
> Hi folks,
> 
> I'm hitting some issues when trying to create SSL certificates and was wondering if any around could help with this.
> I can create a CSR and sign it with a newly created key:
> 
>   $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
>   Generating a 2048 bit RSA private key
>   ........................................+++
>   .....+++
>   writing new private key to 'privateKey.key'
>   -----
>   (enter CSR data)
>   ...
> 
> But just after CSR creation, its verification fails:
> 
>   $ openssl req -text -noout -verify -in CSR.csr
>   verify failure
>   139886616864656:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
>   139886616864656:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
>   139886616864656:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:
>   Certificate Request:
>       Data:
>           Version: 0 (0x0)
>           Subject: C=ES, L=Default City, O=Default Company Ltd
>   ...
> 
> At this point, if I try to create a certificate from the CSR, it creates an empty certificate.
> 
> Private key check returns ok:
> 
>   $ openssl rsa -in privateKey.key -check
>   RSA key ok
>   writing RSA key
>   -----BEGIN RSA PRIVATE KEY-----
>   ...
>   -----END RSA PRIVATE KEY-----
> 
> The public key can be read from the CSR:
> 
>   $ openssl req -in CSR.csr -noout -pubkey
>   -----BEGIN PUBLIC KEY-----
>   ...
>   -----END PUBLIC KEY-----
> 
> I am working on a RHEL machine, with this openssl version:
> 
>   $ rpm -qa | grep openssl                                           
>   openssl-libs-1.0.2k-12.el7.x86_64
>   openssl-1.0.2k-12.el7.x86_64
> 
> Don't know if could be related to a missing library, and have tried to find out the root cause of the issue in internet and mailing lists but didn't get to it.
> 
> Any help would be very much appreciated.
> 
> 
> Thanks!
> Jon
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list