000022852 - Unable to request Certificate for a Check Point Firewall through PKCS10 request in RSA Certificate Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022852
Applies ToRSA Certificate Manager 6.6
Microsoft Windows
Sun Solaris
Check Point Firewall
IssueUnable to request Certificate for a Check Point Firewall through PKCS10 request in RSA Certificate Manager
When submitting a PKCS10 request from Check Point Firewall through the enrollment page, the following error appears after clicking the Submit button:

!PKCS10Parse(): [XrcDECODINGFAILURE] unable to complete decoding operation. XudaParsePKCS10Request(): [XrcDECODINGFAILURE: unable to complete decoding operation]
When generating the request in Check Point Firewall, there is an option to include alternative name information ex: ip address. You select the checkbox and the option you require. This information is put in as part of the subject Alternative Name.
CauseWhen using an ASN.1 Editor to view the request, the Subject Alternative Name portion appears as follows:

243 31   22:         SET {
 245 30   20:           SEQUENCE {
 247 30   18:             SEQUENCE {
 249 06    3:               OBJECT IDENTIFIER subjectAltName (2 5 29 17)
 254 01    1:               BOOLEAN FALSE
 257 04    8:               OCTET STRING
            :                 30 06 87 04 3E B0 3F 28

The line that includes BOOLEAN FALSE should not be included in that part of the request as it is an invalid format. This causes the decoding failure.
ResolutionIf you require Subject Alternative Name in the certificate, do not include it in the request, but get the Administrator of Vettor to input it as part of the approval process.
Legacy Article IDa30678