000020508 - KCA gives invalid signature when approving certificate request

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020508
Applies ToKeon Certificate Authority 6.5
Microsoft Windows 2000 Server SP3
Certificate enrollment with a PKCS#10
IssueKCA gives invalid signature when approving certificate request
Request does not give error on older versions of KCA
CauseWithin a PKCS#10 Certificate Request as defined by PKCS#10 and clarified in RFC 2986, the "Attributes" field is required, even when no Attributes are present. According to RFC 2986, "Attributes" is defined as follows:

 Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}

The "Attributes" field is not marked as OPTIONAL, so it must be present. However, a "SET OF" can include zero or more elements. So, a properly constructed Certificate Request with no attributes will include the encoded SET OF with a zero length for the contents.

Historically, some PKI products (including earlier versions of the Keon Certificate Authority) have misinterpreted the standard and omitted the "Attributes" field when no attributes were present. This causes interoperability issues, and the issues have been fixed in later versions of KCA.

When attempting to import into KCA a PKCS#10 Certificate Request that omits the "Attributes" field, an error will be returned.
ResolutionThe solution is to obtain a fixed version of the application that generated the malformed Certificate Request. A workaround is also available by going into refused queue and approving request there.
WorkaroundA PKCS#10 certificate request was submitted by 3rd Party Software
KCA 6.5 validates certificate request where older versions did not
Legacy Article IDa17077