OK, I see the verify error with the CSR you sent, so it's an issue with creating the CSR, not with verifying it. Beyond that I don't see the issue, but I'd have to debug it (or decrypt the signature manually) to see what exactly the problem is. OpenSSL is complaining that it expects the signature to use PKCS#1 type 1 padding, but the block-type byte doesn't have value 1, i.e. PKCS#1 v1.5 padding. I don't know why openssl req -new on your system might have generated a signature with some other type of padding. openssl req doesn't appear to honor -sigopt rsa_padding_mode, for example; I just tried it, and it didn't produce an error, but didn't seem to have any effect either. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users