[Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9
Andrew Wnuk
awnuk at redhat.com
Fri Oct 31 18:12:52 UTC 2008
Jan Meijer wrote:
> Hi Mike,
>
> On Fri, 31 Oct 2008, Michael Peck wrote:
>
>
>> Try removing all of the text from your request file before the -----BEGIN
>> NEW CERTIFICATE REQUEST----- line. (The "Certificate request generated by
>> Netscape certutil...Phone...", etc text.)
>> I tried that and then CMCEnroll worked on your request on my system.
>>
>> I'm not sure if your request is really malformed, it just doesn't have any
>> Attributes in it, so the SET OF Attributes (PKCS#10) is zero length and
>> dumpasn1 complains.
>>
>
> And indeed it does over here as well, working that is. My request is not
> malformed out of the ordinary. The zero length that dumpasn1 complains
> about is explained by Steve Henson:
>
> http://www.mail-archive.com/openssl-dev@openssl.org/msg10922.html
>
> I tested further today and got more frustrated and then got it working
> and now I think I know what's going on. Thanks for delivering the final
> piece to my little puzzle :)
>
> I tested with requests generated by certutil and openssl. And given my
> familiarity with openssl I started with that. CMCEnroll bombed on the
> openssl PEM input,
The difference between NSS and OpenSSL formats is usually in the headers.
See:
http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates
http://pki.fedoraproject.org/wiki/PKI_TechNote_CRLS
> so I figured, well, convert it to DER. And then the
> bombing was different and I got the error I sent to the list.
>
> Because this approach didn't work, switched to certutil *testing with the
> binary output*. I did test it with ASCII output but apparently didn't
> test with the stuff in front of the actual request removed, otherwise I'd
> have found the right way yesterday already.
>
> I got it working today with a request generated by the pkiconsole. An
> ascii request. And then I tried your suggestion and yes, it worked as
> well.
>
> Then I tried again with my openssl ascii output, and no, didn't work.
> But, then I converted the openssl DER output to binary using the AtoB
> utility and *then* it worked.
>
> I don't know enough intricate details about the formats the requests can
> be in but am tempted to say that the openssl binary format is incompatible
> with what is expected by CMCEnroll.
>
> And little technologist, what did you learn today? That when confronted
> with multiple options I should document what I've tested in a proper test
> matrix.
>
> And, oh lucky me, I learned to use certutil. I think that tool is a bit
> clunky ;)
>
>
> Mike, Marc, thanks for your help :=) I'm now unstuck and on the road to
> bliss.
>
>
More information about the Pki-users
mailing list