Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Mar 30 12:20:04 UTC 2011

On Wed, Mar 30, 2011 at 2:01 PM, Luca Capello <luca at pca.it> wrote:

>>  I don't quite understand what is the issue here. What is the
>> information contained in the CRQ that you consider "useless"?
> As I wrote, the "new" CSR (BTW, what does CRQ mean?) contains data other
> than the request itself, e.g. the password in clear, example below.

But this is how the PKCS #10 certificate request is designed. The
challenge password might be used by your CA to revoke your
certificate, and is stored in the clear. Does actually your CA require
that password? I'd expect to ask for something like that via an
out-band process.

>> Could you send a way for us to reproduce the problem or a wrongly
>> generated CRQ (and the way it was generated - the example
>> you have generates a valid CRQ for me).
> Please note that I never wrote that the resulting CSR is broken.  In
> fact, I have not even tested the "new" CSR, but I used certtool in the
> past in the very same way I am now trying to.
> Previous versions of certtool (at least the one I used in August 2008,
> <http://snapshot.debian.org/package/gnutls26/2.4.1-1/>) generated a CSR
> which contained only the part between the BEGIN and END separators.

Ok, it seems I have misanderstood. I don't see however why printing the
text form of the encoded request is an issue here. Could you elaborate
on that? I can understand though that having stricter permissions for
the generated file might be needed.


More information about the Pkg-gnutls-maint mailing list