On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote: > [root@localhost ~]# openssl req -in req.bin -inform der > unable to load X509 request > 139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287: > 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR > 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ The CSR is malformed. > The CSR can be found here: http://www.sharp.fm/req.bin > > Would it be possible to confirm what is wrong with this request? Running "openssl asn1parse -inform DER" we get: 0:d=0 hl=4 l= 509 cons: SEQUENCE 4:d=1 hl=4 l= 498 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=2 l= 67 cons: SEQUENCE 13:d=3 hl=2 l= 14 cons: SET 15:d=4 hl=2 l= 12 cons: SEQUENCE 17:d=5 hl=2 l= 3 prim: OBJECT :commonName 22:d=5 hl=2 l= 5 prim: UTF8STRING :Test1 29:d=3 hl=2 l= 49 cons: SET 31:d=4 hl=2 l= 47 cons: SEQUENCE 33:d=5 hl=2 l= 3 prim: OBJECT :serialNumber 38:d=5 hl=2 l= 40 prim: PRINTABLESTRING :354616bb0358f9474f1e84af5550567f8b6c4d5b 80:d=2 hl=4 l= 290 cons: SEQUENCE 84:d=3 hl=2 l= 13 cons: SEQUENCE 86:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 97:d=4 hl=2 l= 0 prim: NULL 99:d=3 hl=4 l= 271 prim: BIT STRING 374:d=2 hl=3 l= 129 cons: cont [ 0 ] 377:d=3 hl=2 l= 42 cons: SEQUENCE 379:d=4 hl=2 l= 9 prim: OBJECT :challengePassword 390:d=4 hl=2 l= 29 cons: SET 392:d=5 hl=2 l= 27 prim: IA5STRING :dfwrrdq4uhec96yj23io8soav0 421:d=3 hl=2 l= 83 cons: SEQUENCE 423:d=4 hl=2 l= 9 prim: OBJECT :Extension Request 434:d=4 hl=2 l= 70 cons: SET 436:d=5 hl=2 l= 68 cons: SEQUENCE 438:d=6 hl=2 l= 66 cons: SEQUENCE 440:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 445:d=7 hl=2 l= 59 prim: OCTET STRING [HEX DUMP]:303981373335343631366262303335386639343734663165383461663535353035363766386236633464356240756B2E736173686B65792E6F7267 506:d=1 hl=2 l= 2 cons: SEQUENCE 508:d=2 hl=2 l= 0 prim: OBJECT :BAD OBJECT:[] 510:d=1 hl=2 l= 1 prim: BIT STRING Whereas with: $ openssl req -config <( printf "distinguished_name = dn\n[dn]\nprompt=yes\n[v3req]\n%s\n" \ "subjectAltName = DNS:example.com" ) -reqexts v3req -new -newkey rsa:1024 -keyout /dev/null \ -nodes -subj / 2>/dev/null | openssl asn1parse we get: 0:d=0 hl=4 l= 360 cons: SEQUENCE 4:d=1 hl=3 l= 210 cons: SEQUENCE 7:d=2 hl=2 l= 1 prim: INTEGER :00 10:d=2 hl=2 l= 0 cons: SEQUENCE 12:d=2 hl=3 l= 159 cons: SEQUENCE 15:d=3 hl=2 l= 13 cons: SEQUENCE 17:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 28:d=4 hl=2 l= 0 prim: NULL 30:d=3 hl=3 l= 141 prim: BIT STRING 174:d=2 hl=2 l= 41 cons: cont [ 0 ] 176:d=3 hl=2 l= 39 cons: SEQUENCE 178:d=4 hl=2 l= 9 prim: OBJECT :Extension Request 189:d=4 hl=2 l= 26 cons: SET 191:d=5 hl=2 l= 24 cons: SEQUENCE 193:d=6 hl=2 l= 22 cons: SEQUENCE 195:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 200:d=7 hl=2 l= 15 prim: OCTET STRING [HEX DUMP]:300D820B6578616D706C652E636F6D 217:d=1 hl=2 l= 13 cons: SEQUENCE 219:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 230:d=2 hl=2 l= 0 prim: NULL 232:d=1 hl=3 l= 129 prim: BIT STRING which has a non-zero length signature algorithm OID (l = 9). Your example has "l=0" where one would expect the signature OID after the extensions. -- Viktor.
