On 18 Mar 2019, at 04:55, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote: > >> [root@localhost ~]# openssl req -in req.bin -inform der >> unable to load X509 request >> 139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287: >> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR >> 139903756527504:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ > > The CSR is malformed. The CSR is incomplete, but isn’t malformed. The CSR is the in the process of being built. Part of that process involves sending the partially complete CSR to another module, which then completes the CSR structure. This used to work, but has regressed when moving from rhel6 to rhel7. > which has a non-zero length signature algorithm OID (l = 9). Your > example has "l=0" where one would expect the signature OID after > the extensions. How do I fix openssl to parse this as it did before? Regards, Graham —