由于 ASN1 值,提交到 IIS CA 的 CSR 失败
CSR submitted to IIS CA fails due to ASN1 value
我已经从 pyOpenSSL 生成了私钥/CSR - 下面的代码片段:
键:
key = crypto.PKey()
key.generate_key(type, bits)
if os.path.exists(_keyfile):
print "Certificate file exists, aborting."
print " ", _keyfile
sys.exit(1)
else:
f = open(_keyfile, "w")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
f.close()
return key
企业社会责任:
req = crypto.X509Req()
# Return an X509Name object representing the subject of the certificate.
req.get_subject().countryName = country
req.get_subject().stateOrProvinceName = state
req.get_subject().localityName = location
req.get_subject().organizationName = organisation
req.get_subject().organizationalUnitName = organisational_unit
req.get_subject().CN = nodename
# Add in extensions
#base_constraints = ([
# crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"),
# crypto.X509Extension("basicConstraints", False, "CA:FALSE"),
#])
#x509_extensions = ([])
x509_extensions = []
# If there are SAN entries, append the base_constraints to include them.
if ss:
san_constraint = crypto.X509Extension("subjectAltName", False, ss)
x509_extensions.append(san_constraint)
req.add_extensions(x509_extensions)
# Set the public key of the certificate to pkey.
req.set_pubkey(key)
# Sign the certificate, using the key pkey and the message digest algorithm identified by the string digest.
req.sign(key, "sha1")
# Dump the certificate request req into a buffer string encoded with the type type.
if os.path.exists(_csrfile):
print "Certificate file exists, aborting."
print " ", _csrfile
sys.exit(1)
else:
f = open(_csrfile, "w")
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
f.close()
我从 IIS CA 返回的错误是:
ASN1 bad tag value met. 0x8009310b (ASN: 267)
根据Microsoft,这是由于:
This behavior occurs when certificate request is stored in a file in Unicode encoding. Microsoft Certificate Services do not support Unicode-encoded files request files. Only ANSI encoding is supported.
我知道如果我在命令行上从 openssl 生成 CSR,它会被 IIS CA RESTful web 服务接受并发布,没有错误。
我想知道是否有某种方法可以从 pyOpenSSL 生成 'ANSI' 编码文件 - 我不确定是密钥文件还是用密钥文件签名的 CSR 导致了问题.
感谢@yodatgWhosebug question,我已经在这个Whosebug question的帮助下解决了它。
问题的发生是由于 bug in pyOpenSSL 已修复。
通过发行:
openssl asn1parse -in certificates/cert.csr
我可以看到 ASN1 值:
8:d=2 hl=2 l= 1 prim: INTEGER :01
在工作的 CSR 中,它看起来像这样:
8:d=2 hl=2 l= 1 prim: INTEGER :00
然后我更改了我的代码以在签名之前包含对请求对象的 set_version 调用:
#set version - IIS CA required this
req.set_version(0)
# Set the public key of the certificate to pkey.
req.set_pubkey(priv_key)
现在已解决。
我已经从 pyOpenSSL 生成了私钥/CSR - 下面的代码片段:
键:
key = crypto.PKey()
key.generate_key(type, bits)
if os.path.exists(_keyfile):
print "Certificate file exists, aborting."
print " ", _keyfile
sys.exit(1)
else:
f = open(_keyfile, "w")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
f.close()
return key
企业社会责任:
req = crypto.X509Req()
# Return an X509Name object representing the subject of the certificate.
req.get_subject().countryName = country
req.get_subject().stateOrProvinceName = state
req.get_subject().localityName = location
req.get_subject().organizationName = organisation
req.get_subject().organizationalUnitName = organisational_unit
req.get_subject().CN = nodename
# Add in extensions
#base_constraints = ([
# crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"),
# crypto.X509Extension("basicConstraints", False, "CA:FALSE"),
#])
#x509_extensions = ([])
x509_extensions = []
# If there are SAN entries, append the base_constraints to include them.
if ss:
san_constraint = crypto.X509Extension("subjectAltName", False, ss)
x509_extensions.append(san_constraint)
req.add_extensions(x509_extensions)
# Set the public key of the certificate to pkey.
req.set_pubkey(key)
# Sign the certificate, using the key pkey and the message digest algorithm identified by the string digest.
req.sign(key, "sha1")
# Dump the certificate request req into a buffer string encoded with the type type.
if os.path.exists(_csrfile):
print "Certificate file exists, aborting."
print " ", _csrfile
sys.exit(1)
else:
f = open(_csrfile, "w")
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
f.close()
我从 IIS CA 返回的错误是:
ASN1 bad tag value met. 0x8009310b (ASN: 267)
根据Microsoft,这是由于:
This behavior occurs when certificate request is stored in a file in Unicode encoding. Microsoft Certificate Services do not support Unicode-encoded files request files. Only ANSI encoding is supported.
我知道如果我在命令行上从 openssl 生成 CSR,它会被 IIS CA RESTful web 服务接受并发布,没有错误。
我想知道是否有某种方法可以从 pyOpenSSL 生成 'ANSI' 编码文件 - 我不确定是密钥文件还是用密钥文件签名的 CSR 导致了问题.
感谢@yodatgWhosebug question,我已经在这个Whosebug question的帮助下解决了它。
问题的发生是由于 bug in pyOpenSSL 已修复。
通过发行:
openssl asn1parse -in certificates/cert.csr
我可以看到 ASN1 值:
8:d=2 hl=2 l= 1 prim: INTEGER :01
在工作的 CSR 中,它看起来像这样:
8:d=2 hl=2 l= 1 prim: INTEGER :00
然后我更改了我的代码以在签名之前包含对请求对象的 set_version 调用:
#set version - IIS CA required this
req.set_version(0)
# Set the public key of the certificate to pkey.
req.set_pubkey(priv_key)
现在已解决。