CSR verify failure

[Jon Uriarte <juriarte@xxxxxxxxxx>]

Hi folks,

I'm hitting some issues when trying to create SSL certificates and was wondering if any around could help with this.

I can create a CSR and sign it with a newly created key:

  $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  Generating a 2048 bit RSA private key
  ........................................+++
  .....+++
  writing new private key to 'privateKey.key'
  -----

  (enter CSR data)

  ...

But just after CSR creation, its verification fails:

  $ openssl req -text -noout -verify -in CSR.csr
  verify failure
  139886616864656:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
  139886616864656:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
  139886616864656:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:
  Certificate Request:
      Data:
          Version: 0 (0x0)
          Subject: C=ES, L=Default City, O=Default Company Ltd
  ...

At this point, if I try to create a certificate from the CSR, it creates an empty certificate.

Private key check returns ok:

  $ openssl rsa -in privateKey.key -check
  RSA key ok
  writing RSA key
  -----BEGIN RSA PRIVATE KEY-----

  ...

  -----END RSA PRIVATE KEY-----

The public key can be read from the CSR:

  $ openssl req -in CSR.csr -noout -pubkey
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

I am working on a RHEL machine, with this openssl version:

  $ rpm -qa | grep openssl                                          
  openssl-libs-1.0.2k-12.el7.x86_64
  openssl-1.0.2k-12.el7.x86_64

Don't know if could be related to a missing library, and have tried to find out the root cause of the issue in internet and mailing lists but didn't get to it.

Any help would be very much appreciated.

Thanks!

Jon

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users