Jan Meijer wrote:
Hi Mike,
On Fri, 31 Oct 2008, Michael Peck wrote:
> Try removing all of the text from your request file before the -----BEGIN
> NEW CERTIFICATE REQUEST----- line. (The "Certificate request generated by
> Netscape certutil...Phone...", etc text.)
> I tried that and then CMCEnroll worked on your request on my system.
>
> I'm not sure if your request is really malformed, it just doesn't have any
> Attributes in it, so the SET OF Attributes (PKCS#10) is zero length and
> dumpasn1 complains.
>
And indeed it does over here as well, working that is. My request is not
malformed out of the ordinary. The zero length that dumpasn1 complains
about is explained by Steve Henson:
http://www.mail-archive.com/openssl-dev@openssl.org/msg10922.html
I tested further today and got more frustrated and then got it working
and now I think I know what's going on. Thanks for delivering the final
piece to my little puzzle :)
I tested with requests generated by certutil and openssl. And given my
familiarity with openssl I started with that. CMCEnroll bombed on the
openssl PEM input,
The difference between NSS and OpenSSL formats is usually in the
headers.
See:
http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates
http://pki.fedoraproject.org/wiki/PKI_TechNote_CRLS
so I figured, well, convert it to DER. And then the
bombing was different and I got the error I sent to the list.
Because this approach didn't work, switched to certutil *testing with the
binary output*. I did test it with ASCII output but apparently didn't
test with the stuff in front of the actual request removed, otherwise I'd
have found the right way yesterday already.
I got it working today with a request generated by the pkiconsole. An
ascii request. And then I tried your suggestion and yes, it worked as
well.
Then I tried again with my openssl ascii output, and no, didn't work.
But, then I converted the openssl DER output to binary using the AtoB
utility and *then* it worked.
I don't know enough intricate details about the formats the requests can
be in but am tempted to say that the openssl binary format is incompatible
with what is expected by CMCEnroll.
And little technologist, what did you learn today? That when confronted
with multiple options I should document what I've tested in a proper test
matrix.
And, oh lucky me, I learned to use certutil. I think that tool is a bit
clunky ;)
Mike, Marc, thanks for your help :=) I'm now unstuck and on the road to
bliss.