#26 Use original DER encoding of subject in generated CSRs
Closed: Fixed None Opened 5 years ago by jcholast.

When generating CSRs, certmonger does not necessarily encode subject the same way as in the original certificate. When renewing a CA certificate stored in a NSS database, it causes the certificate chain to break, as NSS expects the subject not to change on DER level.


Do you have a sample certificate that led to this problem? I'm increasingly curious about what form the subject name is taking that the (admittedly possibly-lossy) conversion to a string and then re-parsing of that string produces a different result.

It happens for CA certificates created by Dogtag on IPA install. They use UTF8String for attribute values in the subject, which are converted to PrintableString when you decode and encode them again.

Ah, that makes sense. I was wondering about attribute-to-OID conversions, but I hadn't thought about the tagging of string values. Thanks for clarifying!

Metadata Update from @nalin:
- Issue assigned to nalin
- Issue set to the milestone: 0.74

2 years ago

Login to comment on this ticket.

Metadata