Collections:
Other Resources:
OpenSSL "req -verify" - Error "wrong signature length"
Why I am getting the "wrong signature length" error when running the OpenSSL "req -verify" command?
✍: FYIcenter.com
If you are getting the "wrong signature length" error when running the OpenSSL "req -verify" command, the CSR you are trying to verify has invalid digital signature.
There 2 main possibilities for a CSR to have invalid digital signature:
The first case is unlikely to happen, if the CSR is generated by you. Unless someone hacked your computer.
The second case may happen, if you convert a certificate to CSR and sign it with the wrong private key.
For example, you find that your server certificate is about to expire. So you download it and use the "x509 -x509toreq" command to convert it to a new CSR. This ensures that the new CSR has exactly the same DN (Distinguished Name) fields as the existing certificate.
But if you are not able to find the private key that matches the public key in the certificate, and use another private key with the "x509 -x509toreq", you will end up with an invalid CSR of case 2 listed above.
In the test below, we are going to download linkedin.com certificate and convert it to a new CSR using my own private to sign. Of course, the new CSR will be no good.
C:\Users\fyicenter>\local\OpenSSL\openssl s_client -connect twitter.com:443 > twitter.crt C:\Users\fyicenter>\local\OpenSSL\openssl OpenSSL> x509 -x509toreq -in twitter.crt -signkey my_ca.key -out twitter.csr Getting request Private Key Enter pass phrase for my_ca.key:fyicenter Generating certificate request OpenSSL> req -verify -in twitter.csr -noout verify failure 6164:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length: .\crypto\rsa\rsa_sign.c:186: 6164:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib: .\crypto\asn1\a_verify.c:218:
The error message in the "req -verify" command output confirms that twitter.csr is generated by the "x509 -x509toreq" command is invalid. Signing someone else's public key in the CSR with your private key is not acceptable.
⇒ OpenSSL "x509 -req" - Quick Way to Sign CSR
2020-10-03, 15568🔥, 1💬
Popular Posts:
Certificate summary - Owner: Microsoft Internet Authority Issuer: GTE CyberTrust Global Root, "GTE C...
Certificate summary - Owner: www.purevolume.com, Domain Control Validated Issuer: SERIALNUMBER=07969...
Certificate summary - Owner: getresponse.com, Domain Control Validated Issuer: SERIALNUMBER=07969287...
Certificate Summary: Subject: GeoTrust Primary Certification Authority - G3 Issuer: GeoTrust Primary...
where to find online tools to manage security certificates? I want to decode a certificate and a CSR...