000020355 - How to process PKCS#10 Certificate Signing Request (CSR) from WebSphere

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020355
Applies ToMicrosoft Windows 2000
IBM WebSphere
IBM WebSphere
Keon Certificate Authority
IssueHow to process PKCS#10 Certificate Signing Request (CSR) from WebSphere
How to process PKCS#10 Certificate Signing Request (CSR) from Microsoft Windows 2000 domain controller
Program Error
!PKCS10Parse(): [XrcDECODINGFAILURE] unable to complete decoding operation. XudaParsePKCS10Request():
[XrcDECODINGFAILURE: unable to complete decoding operation]
CauseThe ASN.1 encoding of the certificate request contains an error, and hence does not correctly represent the desired request. Some Certificate Authority programs will incorrectly ignore the error; however, Keon Certificate Authority will recognize the encoding error with the given error message.

One specific known encoding error is that there is an extra Context Specific tag included in the encoded Certificate Signing Request (CSR). Another common fault with submissions from a Windows 2000 domain controller is a request with no email address specified. If the ASN.1 is decoded, you would see the following type of display:

   OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
     Error: Object has zero length.
ResolutionTo identify where in the request the error has occurred, perform the following steps:

1. Save the Certificate Signing Request (CSR) with a .64 suffix

2. Strip the -----BEGIN NEW CERTIFICATE REQUEST----- header and footer so the file contains pure Base64

3. Open the file with WinZip and extract the file called "unknown.001"

4. Read the file 'unkown.001' with any of the well known ASN.1 decoders

One of the most commonly used and referenced tools is "dumpasn1" from Peter Gutmann, and may be found at http://www.cs.auckland.ac.nz/~pgut001/. Also, a Windows front end has recently been produced and can be downloaded from http://www.geminisecurity.com/guidumpasn.html.
WorkaroundA PKCS#10 certificate request was submitted that was generated by an IBM WebSphere system
Legacy Article IDa16231