CSR analysis failed
While placing your order, you may encounter this kind of error message: CSR analysis failed.CERTIFICATE REQUEST
Make sure the chain of characters you have pasted in the order form looks like:-----BEGIN CERTIFICATE REQUEST----- t9iZCa9PobnjK8j6FQz0MH1LLiLvCzLQAtcipm8DDT4H8q5M0F7+xWbQZuTiZYCg ... MFoXDTEyMDUwNTIzNTk1OVoweTELMAkGA1UEBhMCRlIxFjAUBgNVBAgTDUlsZS1k -----END CERTIFICATE REQUEST-----
If not, the file is not the one expected.
Renewal under IIS7
A CSR generated by Microsoft Internet Information Server for a renewal may cause an analysis error in our interface. Indeed, Microsoft Technet explains that this procedure should only be used for the renewal of Microsoft self-signed certificates.for a IIS7 server, we advise to follow the procedure described here, even for a renewal:
http://www.tbs-certificats.com/FAQ/en/447.html
Convert the renewal request generated by IIS7
Certificate Request #PKCS7 - DER to CSR in #PKCS10 format - PEM
If you absolutely need to used the file generated for a IIS internal renewal, you'll have to extract the CSR in #PKCS10 format from the #PKCS7 format used by Microsoft.To do so, here is the command to execute with OpenSSL:
openssl asn1parse -in file-iis7.csr -strparse $(openssl asn1parse -in file-iis7.csr | grep -A2 ':pkcs7-data'|tail -1|cut -d: -f1) -out /dev/stdout -noout | openssl req -inform DER -out file-csr-pem.csr
On Windows environments, you'll have to proceed in several steps:
- Display the file structure:
openssl asn1parse -in file-iis7.csr -i
This command must display lines as below. spot:
":pkcs7-data",
then:
"58:d=5 hl=4 l=1870 prim: OCTET STRING [HEX DUMP]:3082074A..."
0:d=0 hl=4 l=3391 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 15:d=1 hl=4 l=3376 cons: cont [ 0 ] 19:d=2 hl=4 l=3372 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :01 26:d=3 hl=2 l= 11 cons: SET 28:d=4 hl=2 l= 9 cons: SEQUENCE 30:d=5 hl=2 l= 5 prim: OBJECT :sha1 37:d=5 hl=2 l= 0 prim: NULL 39:d=3 hl=4 l=1889 cons: SEQUENCE 43:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 54:d=4 hl=4 l=1874 cons: cont [ 0 ] 58:d=5 hl=4 l=1870 prim: OCTET STRING [HEX DUMP]:3082074A30
-
Spot the line number, in our example: 58
You can then extract the DER CSR.
openssl asn1parse -in file-iis7.csr -strparse 58 -out csr.der
-
Finaly, convert the DER encoded CSR into PEM #PKCS10 format:
openssl req -inform der -in csr.der -out mynewcsr.csr
Last edited on 05/26/2016 12:16:37 --- [search]