Help required for CSR validation

Nikos Mavrogiannopoulos nmav at
Wed Nov 18 19:14:48 CET 2009

Wilankar, Trupti wrote:
> Hello,
> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support.
> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs.
>  Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR.
> We generated CSRs with same DN attributes with GnuTLS and OpenSSL.  After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature.
> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR.

 Thanks for bringing that up to me. Probably it might be some error in
the parsing library of the CA. I attach you a quick fix and if it works
for you I will add an option to encode using this format in certtool.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: null-encoding.patch
Type: text/x-patch
Size: 955 bytes
Desc: not available
URL: </pipermail/attachments/20091118/45310f0a/attachment.bin>

More information about the Gnutls-devel mailing list