Certificate Manager won't accept a windows CA signed certificate
When creating a new certificate request, the following message comes up:
Warning: openssl_pkey_new(): unable to write random state in /etc/inc/certs.inc on line 232
After the certificate has been signed, and pasted into the "Final Certificate data" field, the following error is returned upon submitions:
The following input errors were detected: The certificate subject 'emailAddressemail@example.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX' does not match the signing request subject.
When compared to there request, there is a slight difference:
Request: 'CN=gw01.domain.com, emailAddressfirstname.lastname@example.org, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
Certificate: 'emailAddressemail@example.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
I'm not too experienced with certificates, so I'm not sure if the order matters.
Ticket #621. sort the contents of array used for generating subject by keys so whenever we do subject comparison we will not have problem just because of the array keys ordering.
#2 Updated by Maxim Hansen almost 9 years ago
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
#5 Updated by Erik Fonnesbeck over 8 years ago
I'm not really sure whether the order does matter or not. If it does not, maybe it should search for each of the fields in the returned subject.
Should there possibly be an option to force it to accept it anyway even if it doesn't seem to match according to the checks? (the information could be a match but could be in an unrecognized layout)
#6 Updated by Maxim Hansen over 8 years ago
Well, as I said, I'm not too familiar with how certificates work. But I would guess that it computes some sort of hash of the requested values, just to make sure that the request has not been tampered with. And so when the signed certificates hash does not match, it rejects it.
I just tried this last night, and still get the same error. Would be nice if someone else with a Windows CA could test this. Just so make sure it's not a misconfiguration on my part, hehe :p
One way around this might be to alter the certificate template, as I guess that is what formats how the result looks (where the fields are, and all that)?
#14 Updated by Brian McAndrew over 8 years ago
- File cert_request.txt cert_request.txt added
- File cert_issued.cer cert_issued.cer added
- File error.PNG error.PNG added
The latest snapshot [2.0-BETA5 (i386) built on Mon Jan 10 13:14:45 EST 2011], it still shows the error. Attached are the certificate request, the certificate issued, and the error.