Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR
luca at pca.it
Wed Mar 30 12:01:42 UTC 2011
On Sun, 27 Mar 2011 09:38:13 +0200, Nikos Mavrogiannopoulos wrote:
> On 03/26/2011 06:57 PM, Luca Capello wrote:
>> I was creating a Certificate Signing Request with certtool and then I
>> discovered that the output file contains more than the CSR, even worse
>> it contains the password asked during the creation.
> I don't quite understand what is the issue here. What is the
> information contained in the CRQ that you consider "useless"?
As I wrote, the "new" CSR (BTW, what does CRQ mean?) contains data other
than the request itself, e.g. the password in clear, example below.
> Could you send a way for us to reproduce the problem or a wrongly
> generated CRQ (and the way it was generated - the example
> you have generates a valid CRQ for me).
Please note that I never wrote that the resulting CSR is broken. In
fact, I have not even tested the "new" CSR, but I used certtool in the
past in the very same way I am now trying to.
Here how to reproduce the problem:
luca at gismo:~$ certtool --generate-privkey \
--bits 4096 --outfile pca.it.key
luca at gismo:~$ certtool --generate-request \
--load-privkey pca.it.key --outfile gallery.pca.it.csr
Generating a PKCS #10 certificate request...
Country name (2 chars): IT
Organization name: PCA
Organizational unit name:
Locality name: Casalpusterlengo
State or province name: Lodi
Common name: gallery.pca.it
Enter a dnsName of the subject of the certificate: gallery.pca.it
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): n
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): n
Is this a TLS web client certificate? (y/N): n
Is this also a TLS web server certificate? (y/N): y
luca at gismo:~$ $ cat gallery.pca.it.csr
PKCS #10 Certificate Request Information:
Subject Public Key Algorithm: RSA
Modulus (bits 4096):
Subject Alternative Name (not critical):
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Usage (critical):
Key Purpose (critical):
TLS WWW Server.
Challenge password: asdf
Public Key Id:
[Public Key Id removed]
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
luca at gismo:~$
Previous versions of certtool (at least the one I used in August 2008,
<http://snapshot.debian.org/package/gnutls26/2.4.1-1/>) generated a CSR
which contained only the part between the BEGIN and END separators.
This latter is AFAIK the only part needed for a CA (e.g. CAcert.org) and
it is what OpenSSL outputs per the following command:
$ openssl req -nodes -new -key pca.it.key -out gallery.pca.it.csr
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 835 bytes
Desc: not available
More information about the Pkg-gnutls-maint