Bug #621
closed
Certificate Manager won't accept a windows CA signed certificate
0%
Description
When creating a new certificate request, the following message comes up:
Warning: openssl_pkey_new(): unable to write random state in /etc/inc/certs.inc on line 232
After the certificate has been signed, and pasted into the "Final Certificate data" field, the following error is returned upon submitions:
The following input errors were detected: The certificate subject 'emailAddress=noc@domain.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX' does not match the signing request subject.
When compared to there request, there is a slight difference:
Request: 'CN=gw01.domain.com, emailAddress=noc@domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
Certificate: 'emailAddress=noc@domain.com, CN=gw01.domain.com, O=Company-1234, L=Somewhere, ST=Somewhere, C=XX'
I'm not too experienced with certificates, so I'm not sure if the order matters.
Files
| gw01.domain.com.cer (2.04 KB) gw01.domain.com.cer | |||
| cert_request.txt (1.09 KB) cert_request.txt | Certificate Request | ||
| cert_issued.cer (2 KB) cert_issued.cer | Certificate Issued | ||
| error.PNG (64.1 KB) error.PNG | Error shown |
Updated by Jochen Becker over 14 years ago
you have to look in the asn1 informations of the certificates.
some tools (Novell for Example) write the whole subject in one field, and this makes it unuseable
i have no windows CA, can you upload the certificate file ? and the csr file ?
Updated by Maxim Hansen over 14 years ago
- File gw01.domain.com.cer gw01.domain.com.cer added
-----BEGIN CERTIFICATE REQUEST-----
MIIB7zCCAVgCAQAwgYUxCzAJBgNVBAYTAlhYMRIwEAYDVQQIEwlTb21ld2hlcmUx
EjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMQ29tcGFueS0xMjM0MR0wGwYJ
KoZIhvcNAQkBFg5ub2NAZG9tYWluLmNvbTEYMBYGA1UEAxMPZ3cwMS5kb21haW4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU8P67zVBTs+GqxhLU4v4a
soG+/IKfqn01ouHm9jy7XcV+lMV3nINhIOgBp1L1JQXlJqd4dab6ZajxqDG4jtAb
rFhTWyZstX6+do8UCU3yxlqBW+ol25IknpO4PIhWtqljnVoGK5K8a1dInblsk7I2
RAhDouG+2gjtsoCl+WAnHQIDAQABoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRME
AjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCYpjCDdSCVBGDnWZtA
ZpB3NgeKwR28G7mWXnS10WE+EozNgJCRfciIJipqJyxHA1DRStI5ySAwxp0t7aTK
gPFUL3mbs4xZ9QCbgZnaTAFhBV6sqch/HDMNadeVjVRt+X61nkZD6o+uFzrtNU0x
OGVxRcfrLuGrbumokjyFMRNcbg==
-----END CERTIFICATE REQUEST-----
Updated by Jochen Becker over 14 years ago
This looks okay in asn1 notation. Do you have the csr file ?
Updated by Maxim Hansen over 14 years ago
Not sure if I can get a hold of the csr, as the certificate is generated by going to the Windows CA certificate request site, pasting in the request above, and choosing the "Web Server" template. When that's done, you get the .cer file above.
Updated by Erik Fonnesbeck about 14 years ago
I'm not really sure whether the order does matter or not. If it does not, maybe it should search for each of the fields in the returned subject.
Should there possibly be an option to force it to accept it anyway even if it doesn't seem to match according to the checks? (the information could be a match but could be in an unrecognized layout)
Updated by Maxim Hansen about 14 years ago
Well, as I said, I'm not too familiar with how certificates work. But I would guess that it computes some sort of hash of the requested values, just to make sure that the request has not been tampered with. And so when the signed certificates hash does not match, it rejects it.
I just tried this last night, and still get the same error. Would be nice if someone else with a Windows CA could test this. Just so make sure it's not a misconfiguration on my part, hehe :p
One way around this might be to alter the certificate template, as I guess that is what formats how the result looks (where the fields are, and all that)?
Updated by Erik Fonnesbeck about 14 years ago
The message you mentioned is shown simply when a certain string comparison fails. If it would be appropriate, it could try to match up fields instead.
Updated by Ermal Luçi almost 14 years ago
Possibly this is related to format of the cer ie DER....
So this must be an argument that must be supplied during importing to openvpn.
More digging needed on how to find the format!
Updated by Ermal Luçi almost 14 years ago
After checking this more thoroughly this seems to be just about the diff in the created subject.
Another method should be used to match this rather than comparing strings.
I am still evaluating the best option.
Updated by Ermal Luçi almost 14 years ago
- Status changed from New to Feedback
Patch is on latest snapshot please test with them.
Updated by Maxim Hansen almost 14 years ago
I will try it out sometime during the weekend, and get back to you.
Thanks! :D
Updated by Brian McAndrew almost 14 years ago
Using the latest snapshot [2.0-BETA5 (i386) built on Fri Jan 7 15:25:33 EST 2011], it still shows the error:
The certificate subject [content removed] does not match the signing request subject; the same error as in the description for this bug.
Updated by Ermal Luçi almost 14 years ago
I do not think that patch is in a Jan 7 snapshot.
Please try a more recent one.
Updated by Brian McAndrew almost 14 years ago
- File cert_request.txt cert_request.txt added
- File cert_issued.cer cert_issued.cer added
- File error.PNG error.PNG added
The latest snapshot [2.0-BETA5 (i386) built on Mon Jan 10 13:14:45 EST 2011], it still shows the error. Attached are the certificate request, the certificate issued, and the error.
Updated by Ermal Luçi almost 14 years ago
Ok i fixed even the CSR. Can you please try the latest snapshot or the do the last patch listed here manually?
Updated by Brian McAndrew almost 14 years ago
I think you fixed the problem. With the snapshot [2.0-BETA5 (i386) built on Wed Jan 12 18:38:12 EST 2011] I am able to import the certificate without any error.
Updated by Ermal Luçi almost 14 years ago
- Status changed from Feedback to Resolved