Project

General

Profile

Actions

Bug #621

closed

Certificate Manager won't accept a windows CA signed certificate

Added by Maxim Hansen over 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
Start date:
05/28/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

When creating a new certificate request, the following message comes up:

Warning: openssl_pkey_new(): unable to write random state in /etc/inc/certs.inc on line 232

After the certificate has been signed, and pasted into the "Final Certificate data" field, the following error is returned upon submitions:

The following input errors were detected:

The certificate subject 'emailAddress=noc@domain.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX' does not match the signing request subject.

When compared to there request, there is a slight difference:

Request: 'CN=gw01.domain.com, emailAddress=, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
Certificate: 'emailAddress=, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'

I'm not too experienced with certificates, so I'm not sure if the order matters.


Files

gw01.domain.com.cer (2.04 KB) gw01.domain.com.cer Maxim Hansen, 06/08/2010 05:41 PM
cert_request.txt (1.09 KB) cert_request.txt Certificate Request Brian McAndrew, 01/10/2011 08:10 PM
cert_issued.cer (2 KB) cert_issued.cer Certificate Issued Brian McAndrew, 01/10/2011 08:10 PM
error.PNG (64.1 KB) error.PNG Error shown Brian McAndrew, 01/10/2011 08:10 PM
Actions #1

Updated by Jochen Becker over 11 years ago

you have to look in the asn1 informations of the certificates.
some tools (Novell for Example) write the whole subject in one field, and this makes it unuseable
i have no windows CA, can you upload the certificate file ? and the csr file ?

Actions #2

Updated by Maxim Hansen over 11 years ago

-----BEGIN CERTIFICATE REQUEST-----
MIIB7zCCAVgCAQAwgYUxCzAJBgNVBAYTAlhYMRIwEAYDVQQIEwlTb21ld2hlcmUx
EjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMQ29tcGFueS0xMjM0MR0wGwYJ
KoZIhvcNAQkBFg5ub2NAZG9tYWluLmNvbTEYMBYGA1UEAxMPZ3cwMS5kb21haW4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU8P67zVBTs+GqxhLU4v4a
soG+/IKfqn01ouHm9jy7XcV+lMV3nINhIOgBp1L1JQXlJqd4dab6ZajxqDG4jtAb
rFhTWyZstX6+do8UCU3yxlqBW+ol25IknpO4PIhWtqljnVoGK5K8a1dInblsk7I2
RAhDouG+2gjtsoCl+WAnHQIDAQABoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRME
AjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCYpjCDdSCVBGDnWZtA
ZpB3NgeKwR28G7mWXnS10WE+EozNgJCRfciIJipqJyxHA1DRStI5ySAwxp0t7aTK
gPFUL3mbs4xZ9QCbgZnaTAFhBV6sqch/HDMNadeVjVRt+X61nkZD6o+uFzrtNU0x
OGVxRcfrLuGrbumokjyFMRNcbg==
-----END CERTIFICATE REQUEST-----

Actions #3

Updated by Jochen Becker over 11 years ago

This looks okay in asn1 notation. Do you have the csr file ?

Actions #4

Updated by Maxim Hansen over 11 years ago

Not sure if I can get a hold of the csr, as the certificate is generated by going to the Windows CA certificate request site, pasting in the request above, and choosing the "Web Server" template. When that's done, you get the .cer file above.

Actions #5

Updated by Erik Fonnesbeck about 11 years ago

I'm not really sure whether the order does matter or not. If it does not, maybe it should search for each of the fields in the returned subject.

Should there possibly be an option to force it to accept it anyway even if it doesn't seem to match according to the checks? (the information could be a match but could be in an unrecognized layout)

Actions #6

Updated by Maxim Hansen about 11 years ago

Well, as I said, I'm not too familiar with how certificates work. But I would guess that it computes some sort of hash of the requested values, just to make sure that the request has not been tampered with. And so when the signed certificates hash does not match, it rejects it.

I just tried this last night, and still get the same error. Would be nice if someone else with a Windows CA could test this. Just so make sure it's not a misconfiguration on my part, hehe :p

One way around this might be to alter the certificate template, as I guess that is what formats how the result looks (where the fields are, and all that)?

Actions #7

Updated by Erik Fonnesbeck about 11 years ago

The message you mentioned is shown simply when a certain string comparison fails. If it would be appropriate, it could try to match up fields instead.

Actions #8

Updated by Ermal Luçi almost 11 years ago

Possibly this is related to format of the cer ie DER....
So this must be an argument that must be supplied during importing to openvpn.
More digging needed on how to find the format!

Actions #9

Updated by Ermal Luçi almost 11 years ago

After checking this more thoroughly this seems to be just about the diff in the created subject.

Another method should be used to match this rather than comparing strings.

I am still evaluating the best option.

Actions #10

Updated by Ermal Luçi almost 11 years ago

  • Status changed from New to Feedback

Patch is on latest snapshot please test with them.

Actions #11

Updated by Maxim Hansen almost 11 years ago

I will try it out sometime during the weekend, and get back to you.

Thanks! :D

Actions #12

Updated by Brian McAndrew almost 11 years ago

Using the latest snapshot [2.0-BETA5 (i386) built on Fri Jan 7 15:25:33 EST 2011], it still shows the error:
The certificate subject [content removed] does not match the signing request subject; the same error as in the description for this bug.

Actions #13

Updated by Ermal Luçi almost 11 years ago

I do not think that patch is in a Jan 7 snapshot.
Please try a more recent one.

Actions #14

Updated by Brian McAndrew almost 11 years ago

The latest snapshot [2.0-BETA5 (i386) built on Mon Jan 10 13:14:45 EST 2011], it still shows the error. Attached are the certificate request, the certificate issued, and the error.

Actions #15

Updated by Ermal Luçi almost 11 years ago

Ok i fixed even the CSR. Can you please try the latest snapshot or the do the last patch listed here manually?

Actions #16

Updated by Brian McAndrew almost 11 years ago

I think you fixed the problem. With the snapshot [2.0-BETA5 (i386) built on Wed Jan 12 18:38:12 EST 2011] I am able to import the certificate without any error.

Actions #17

Updated by Ermal Luçi almost 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF