OpenSSL "req -verify" - Error "wrong signature length"

Q

Why I am getting the "wrong signature length" error when running the OpenSSL "req -verify" command?

✍: FYIcenter.com

A

If you are getting the "wrong signature length" error when running the OpenSSL "req -verify" command, the CSR you are trying to verify has invalid digital signature.

There 2 main possibilities for a CSR to have invalid digital signature:

The CSR has been modified by someone.
The CSR has been signed by the wrong private key.

The first case is unlikely to happen, if the CSR is generated by you. Unless someone hacked your computer.

The second case may happen, if you convert a certificate to CSR and sign it with the wrong private key.

For example, you find that your server certificate is about to expire. So you download it and use the "x509 -x509toreq" command to convert it to a new CSR. This ensures that the new CSR has exactly the same DN (Distinguished Name) fields as the existing certificate.

But if you are not able to find the private key that matches the public key in the certificate, and use another private key with the "x509 -x509toreq", you will end up with an invalid CSR of case 2 listed above.

In the test below, we are going to download linkedin.com certificate and convert it to a new CSR using my own private to sign. Of course, the new CSR will be no good.

C:\Users\fyicenter>\local\OpenSSL\openssl s_client -connect twitter.com:443 
   > twitter.crt

C:\Users\fyicenter>\local\OpenSSL\openssl

OpenSSL> x509 -x509toreq -in twitter.crt -signkey my_ca.key -out twitter.csr
Getting request Private Key
Enter pass phrase for my_ca.key:fyicenter
Generating certificate request

OpenSSL> req -verify -in twitter.csr -noout
verify failure
6164:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length:
   .\crypto\rsa\rsa_sign.c:186:
6164:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:
   .\crypto\asn1\a_verify.c:218:

The error message in the "req -verify" command output confirms that twitter.csr is generated by the "x509 -x509toreq" command is invalid. Signing someone else's public key in the CSR with your private key is not acceptable.

⇒ OpenSSL "x509 -req" - Quick Way to Sign CSR

⇐ OpenSSL "x509 -x509toreq" - Conver Certificate to CSR

⇑ OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2020-10-03, 14990👍, 1💬

OpenSSL "x509 -req" - Error "my_ca.srl: No error"
Why I am getting the "my_ca.srl: No error" error when trying to sign a CSR with OpenSSL "x509" command? You are getting the "my_ca.srl: No error" error when using OpenSSL "x509" command to sign a CSR, because OpenSSL is not able to access the default serial number file: my_ca.srl. When using "x509" ... 2018-02-08, 12581👍, 0💬

Download and Install OpenSSL slproweb Binary for Windows
How to download OpenSSL for Windows? I heard that OpenSSL is a nice free tool to manage keys and certificates. You can download and install OpenSSL Windows version using these steps: 1. Go to the https://slproweb.com/products/ Win32OpenSSL.htmlWebsite. 2. Scroll down and select the latest version th... 2018-01-19, 10590👍, 0💬

OpenSSL "x509 -x509toreq" - Conver Certificate to CSR
How to convert a certificate to a CSR using OpenSSL "x509" command? I want to generate a CSR with the same information as my existing certificate. You can convert a certificate to a CSR using the OpenSSL "x509 -x509toreq" command as shown below: C:\Users\fyicenter>\loc al\openssl\openssl.exeO... 2018-02-14, 8405👍, 0💬

OpenSSL "s_client" Command
Where to find tutorials on using OpenSSL "s_client" command? Here is a collection of tutorials on using OpenSSL "s_client" command compiled by FYIcenter.com team. OpenSSL "s_client" Command Options OpenSSL "s_client -connect" - Connect to HTTPS Web Site OpenSSL "s_client -connect" - View Server Cert... 2021-04-24, 5486👍, 5💬

💬 2018-01-24 FYIcenter.com: @Janathan, what are you trying to say with that command?

💬 2018-01-24 Jonathan: openssl s_client -showcerts yum.******.org:443

OpenSSL "x509" Command
Where to find tutorials on using OpenSSL "x509" command? Here is a collection of tutorials on using OpenSSL "x509" command compiled by FYIcenter.com team. OpenSSL "x509" Command Options Sample X.509 Certificate File to Test OpenSSL OpenSSL "x509 -text" - Print Certificate Info OpenSSL "x509 -fingerp... 2019-09-04, 5257👍, 1💬

💬 2019-09-04 chintu: openssl genpkey -algorithm B -out A

General Information about OpenSSL
Where to find general information OpenSSL? I want to get basic understanding of OpenSSL. Here is a collection of tutorials that provides general information about OpenSSL compiled by FYIcenter.com team. What Is OpenSSL Download and Install OpenSSL Fulgan Binary for Windows Run OpenSSL Commands List ... 2018-01-19, 3611👍, 0💬

OpenSSL "genpkey" Command for RSA Keys
Where to find tutorials on using OpenSSL "genpkey" and "pkey" commands for RSA private keys? Here is a collection of tutorials on using OpenSSL "genpkey" and "pkey" commands compiled by FYIcenter.com team to generate and manage RSA (Rivest, Shamir and Adleman) private keys OpenSSL "genpkey" Command ... 2018-01-24, 3125👍, 0💬

OpenSSL Fulgan Binary Crash on Windows 7
Why am I getting an error when running OpenSSL "verify" command? I am using the OpenSSL Fulgan binary version. If you running OpenSSL 1.0.2h Fulgan binary version on a Windows 7 system, you can try to run the following OpenSSL "verify" command: C:\Users\fyicenter>\loc al\openssl\openssl.exeOp... 2018-01-27, 2354👍, 0💬

OpenSSL "x509 -req" - Quick Way to Sign CSR
How to sign a CSR with OpenSSL "x509" command? I want a quick way to sign a CSR without setting the OpenSSL "ca" command. Normally, you should set up OpenSSL "ca" command to sign a CSR. But if you want quick alternative, you can use the "x509" command to sign a CSR as shown in the test below: C:\Use... 2018-02-01, 2283👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.