KCA gives invalid signature when approving certificate request

3 years ago

Originally Published: 2003-06-05

Article Number

000054313

Applies To

Keon Certificate Authority 6.5
Microsoft Windows 2000 Server SP3
Certificate enrollment with a PKCS#10

Issue

KCA gives invalid signature when approving certificate request
Request does not give error on older versions of KCA

Cause

Within a PKCS#10 Certificate Request as defined by PKCS#10 and clarified in RFC 2986, the "Attributes" field is required, even when no Attributes are present. According to RFC 2986, "Attributes" is defined as follows:

Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}

The "Attributes" field is not marked as OPTIONAL, so it must be present. However, a "SET OF" can include zero or more elements. So, a properly constructed Certificate Request with no attributes will include the encoded SET OF with a zero length for the contents.

Historically, some PKI products (including earlier versions of the Keon Certificate Authority) have misinterpreted the standard and omitted the "Attributes" field when no attributes were present. This causes interoperability issues, and the issues have been fixed in later versions of KCA.

When attempting to import into KCA a PKCS#10 Certificate Request that omits the "Attributes" field, an error will be returned.

Resolution

The solution is to obtain a fixed version of the application that generated the malformed Certificate Request. A workaround is also available by going into refused queue and approving request there.

Workaround

A PKCS#10 certificate request was submitted by 3rd Party Software
KCA 6.5 validates certificate request where older versions did not

Don't see what you're looking for?

Related Articles

Trending Articles