|Applies To||Microsoft Windows 2000|
Keon Certificate Authority
|Issue||How to process PKCS#10 Certificate Signing Request (CSR) from WebSphere|
How to process PKCS#10 Certificate Signing Request (CSR) from Microsoft Windows 2000 domain controller
!PKCS10Parse(): [XrcDECODINGFAILURE] unable to complete decoding operation. XudaParsePKCS10Request():
[XrcDECODINGFAILURE: unable to complete decoding operation]
|Cause||The ASN.1 encoding of the certificate request contains an error, and hence does not correctly represent the desired request. Some Certificate Authority programs will incorrectly ignore the error; however, Keon Certificate Authority will recognize the encoding error with the given error message.|
One specific known encoding error is that there is an extra Context Specific tag included in the encoded Certificate Signing Request (CSR). Another common fault with submissions from a Windows 2000 domain controller is a request with no email address specified. If the ASN.1 is decoded, you would see the following type of display:
OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
Error: Object has zero length.
|Resolution||To identify where in the request the error has occurred, perform the following steps:|
1. Save the Certificate Signing Request (CSR) with a .64 suffix
2. Strip the -----BEGIN NEW CERTIFICATE REQUEST----- header and footer so the file contains pure Base64
3. Open the file with WinZip and extract the file called "unknown.001"
4. Read the file 'unkown.001' with any of the well known ASN.1 decoders
One of the most commonly used and referenced tools is "dumpasn1" from Peter Gutmann, and may be found at http://www.cs.auckland.ac.nz/~pgut001/. Also, a Windows front end has recently been produced and can be downloaded from http://www.geminisecurity.com/guidumpasn.html.
|Workaround||A PKCS#10 certificate request was submitted that was generated by an IBM WebSphere system|
|Legacy Article ID||a16231|