000026178 - Error: 'Unable to complete decoding operation' when submitting PKCS10 from Enrollment server in Keon Certificate Authority or RSA Certificate Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026178
Applies ToRSA Certificate Manager 6.6
RSA Certificate Manager 6.7
RSA Certificate Manager 6.8
RSA Certificate Manager (RCM)
RSA Keon Certificate Authority
Microsoft Windows 2003 Server
IssueError: "Unable to complete decoding operation" when submitting PKCS10 from Enrollment server in Keon Certificate Authority or RSA Certificate Manager
The following error shows when attempting to submit a PKCS#10 certificate request on Keon Certificate Authority (KCA) enrollment page:

Program Error
!PKCS10Parse(): [XrcDECODINGFAILURE] unable to complete decoding operation. XudaParsePKCS10Request(): [XrcDECODINGFAILURE: unable to complete decoding operation]
The ASN.1 parsing of the PKCS#10 request showed the following information on Email address encoding:

002c: 06 09 <5> Object Identifier 9 octets = E-mail Address
002e: 2a 8648 86f70d 01 09 01 {1.2.840.113549.1.9.1}
0037: 0c 0d <5> UTF8 String 13 octets
CauseAs per RFC 3280 (http://www.faqs.org/rfcs/rfc3280.html) and the latest RFC 5280 (http://datatracker.ietf.org/doc/rfc5280/), Email should be of type 'IA5String' and countryname should be a PrintableString.  RSA Certificate Manager generated a decoding failure error due to the request not conforming to RFC3280/RFC5280.
ResolutionCorrect the application generating the PKCS#10 request so that the email address and/or countryname in PKCS10 request is coded as an IA5String instead of UTF8 String.  A PKCS10 request with proper encoding will go through RSA Certificate Manager without an error.
WorkaroundJava Programming language was used to encode the UTF-8 String of E-Mail Address in the PKCS10 request
The countryname should be encoded as Printable String only. Please refer
http://www.ietf.org/rfc/rfc3280.txt, Page 96, it is mentioned as:

id-at-countryName       AttributeType ::= { id-at 6 }
X520countryName ::=     PrintableString (SIZE (2))
Legacy Article IDa38774

Attachments

    Outcomes