Project

General

Profile

Bug #621

Certificate Manager won't accept a windows CA signed certificate

Added by Maxim Hansen about 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
Start date:
05/28/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

When creating a new certificate request, the following message comes up:

Warning: openssl_pkey_new(): unable to write random state in /etc/inc/certs.inc on line 232

After the certificate has been signed, and pasted into the "Final Certificate data" field, the following error is returned upon submitions:

The following input errors were detected:

The certificate subject 'emailAddress=noc@domain.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX' does not match the signing request subject.

When compared to there request, there is a slight difference:

Request: 'CN=gw01.domain.com, emailAddress=, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
Certificate: 'emailAddress=, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'

I'm not too experienced with certificates, so I'm not sure if the order matters.

gw01.domain.com.cer (2.04 KB) gw01.domain.com.cer Maxim Hansen, 06/08/2010 05:41 PM
cert_request.txt (1.09 KB) cert_request.txt Certificate Request Brian McAndrew, 01/10/2011 08:10 PM
cert_issued.cer (2 KB) cert_issued.cer Certificate Issued Brian McAndrew, 01/10/2011 08:10 PM
error.PNG (64.1 KB) error.PNG Error shown Brian McAndrew, 01/10/2011 08:10 PM

Associated revisions

Revision b89c34aa (diff)
Added by Ermal Luçi over 8 years ago

Ticket #621. sort the contents of array used for generating subject by keys so whenever we do subject comparison we will not have problem just because of the array keys ordering.

Revision 311f93cd (diff)
Added by Ermal Luçi over 8 years ago

Ticket #621. Sort even csr subject to have the matching go ok during import of externally signed cers.

History

#1 Updated by Jochen Becker about 9 years ago

you have to look in the asn1 informations of the certificates.
some tools (Novell for Example) write the whole subject in one field, and this makes it unuseable
i have no windows CA, can you upload the certificate file ? and the csr file ?

#2 Updated by Maxim Hansen about 9 years ago

-----BEGIN CERTIFICATE REQUEST-----
MIIB7zCCAVgCAQAwgYUxCzAJBgNVBAYTAlhYMRIwEAYDVQQIEwlTb21ld2hlcmUx
EjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMQ29tcGFueS0xMjM0MR0wGwYJ
KoZIhvcNAQkBFg5ub2NAZG9tYWluLmNvbTEYMBYGA1UEAxMPZ3cwMS5kb21haW4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU8P67zVBTs+GqxhLU4v4a
soG+/IKfqn01ouHm9jy7XcV+lMV3nINhIOgBp1L1JQXlJqd4dab6ZajxqDG4jtAb
rFhTWyZstX6+do8UCU3yxlqBW+ol25IknpO4PIhWtqljnVoGK5K8a1dInblsk7I2
RAhDouG+2gjtsoCl+WAnHQIDAQABoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRME
AjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCYpjCDdSCVBGDnWZtA
ZpB3NgeKwR28G7mWXnS10WE+EozNgJCRfciIJipqJyxHA1DRStI5ySAwxp0t7aTK
gPFUL3mbs4xZ9QCbgZnaTAFhBV6sqch/HDMNadeVjVRt+X61nkZD6o+uFzrtNU0x
OGVxRcfrLuGrbumokjyFMRNcbg==
-----END CERTIFICATE REQUEST-----

#3 Updated by Jochen Becker about 9 years ago

This looks okay in asn1 notation. Do you have the csr file ?

#4 Updated by Maxim Hansen about 9 years ago

Not sure if I can get a hold of the csr, as the certificate is generated by going to the Windows CA certificate request site, pasting in the request above, and choosing the "Web Server" template. When that's done, you get the .cer file above.

#5 Updated by Erik Fonnesbeck almost 9 years ago

I'm not really sure whether the order does matter or not. If it does not, maybe it should search for each of the fields in the returned subject.

Should there possibly be an option to force it to accept it anyway even if it doesn't seem to match according to the checks? (the information could be a match but could be in an unrecognized layout)

#6 Updated by Maxim Hansen almost 9 years ago

Well, as I said, I'm not too familiar with how certificates work. But I would guess that it computes some sort of hash of the requested values, just to make sure that the request has not been tampered with. And so when the signed certificates hash does not match, it rejects it.

I just tried this last night, and still get the same error. Would be nice if someone else with a Windows CA could test this. Just so make sure it's not a misconfiguration on my part, hehe :p

One way around this might be to alter the certificate template, as I guess that is what formats how the result looks (where the fields are, and all that)?

#7 Updated by Erik Fonnesbeck almost 9 years ago

The message you mentioned is shown simply when a certain string comparison fails. If it would be appropriate, it could try to match up fields instead.

#8 Updated by Ermal Luçi over 8 years ago

Possibly this is related to format of the cer ie DER....
So this must be an argument that must be supplied during importing to openvpn.
More digging needed on how to find the format!

#9 Updated by Ermal Luçi over 8 years ago

After checking this more thoroughly this seems to be just about the diff in the created subject.

Another method should be used to match this rather than comparing strings.

I am still evaluating the best option.

#10 Updated by Ermal Luçi over 8 years ago

  • Status changed from New to Feedback

Patch is on latest snapshot please test with them.

#11 Updated by Maxim Hansen over 8 years ago

I will try it out sometime during the weekend, and get back to you.

Thanks! :D

#12 Updated by Brian McAndrew over 8 years ago

Using the latest snapshot [2.0-BETA5 (i386) built on Fri Jan 7 15:25:33 EST 2011], it still shows the error:
The certificate subject [content removed] does not match the signing request subject; the same error as in the description for this bug.

#13 Updated by Ermal Luçi over 8 years ago

I do not think that patch is in a Jan 7 snapshot.
Please try a more recent one.

#14 Updated by Brian McAndrew over 8 years ago

The latest snapshot [2.0-BETA5 (i386) built on Mon Jan 10 13:14:45 EST 2011], it still shows the error. Attached are the certificate request, the certificate issued, and the error.

#15 Updated by Ermal Luçi over 8 years ago

Ok i fixed even the CSR. Can you please try the latest snapshot or the do the last patch listed here manually?

#16 Updated by Brian McAndrew over 8 years ago

I think you fixed the problem. With the snapshot [2.0-BETA5 (i386) built on Wed Jan 12 18:38:12 EST 2011] I am able to import the certificate without any error.

#17 Updated by Ermal Luçi over 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF