CSR failing: Error Parsing Request ASN1 bad tag value met (ASN: 267 CRYPT_E_ASN1_BADTAG)

ruby-on-rails ruby ruby-on-rails-3 openssl rsa

11,220

That's because CSR request is not your public key in pem format. CSR has different ASN1 notation compared to public key. That's why you are getting ASN1 related error.

You can see this gist on how to create CSR using Ruby wrapper for OpenSSL. As you can see, you'd need to specify your distinguished names as well.

def csr(key)
  options = { 
    :country      => 'PL',
    :state        => 'M',
    :city         => 'Cracow',
    :organization => 'OSPL',
    :department   => '', 
    :common_name  => 'OSPL',
    :email        => ''
  }

  request = OpenSSL::X509::Request.new
  request.version = 0 
  request.subject = OpenSSL::X509::Name.new([
    ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
    ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
    ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
    ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
    ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
    ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
    ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
  ])
  request.public_key = key.public_key
  request.sign(key, OpenSSL::Digest::SHA1.new)
end

11,220

Author by

Micheal

Updated on June 05, 2022

Comments

Micheal almost 2 years

I am trying to submit a CSR request in the following way:

require 'openssl'
require 'json'

def public_key_info
  key_info = private_key.public_key.to_pem
  key_info = key_info.sub! '-----BEGIN PUBLIC KEY-----', '-----BEGIN CERTIFICATE REQUEST-----'
  key_info = key_info.sub! '-----END PUBLIC KEY-----', '-----END CERTIFICATE REQUEST-----'
  key_info
end

# "Creating a new 2048bit RSA Keypair..."
def private_key
  @private_key = OpenSSL::PKey::RSA.new 2048
end

payload = { 
  "CsrData" => public_key_info,
  "certTemplate" => "MyTemplate"
}

encoded = JSON.generate(payload)    
p "Payload is #{encoded}"

response = RestClient::Resource.new(
  'http://myURL/GenerateCertificateUsingCsr',
).post encoded, :content_type => 'application/json', :accept => 'text/plain'

response_json = JSON.parse(response.body)
p response_json

The request failed with the error The submission failed: Error Parsing Request. ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG):

{
    "certTemplate":"MyTemplate",
    "CsrData":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWeK196VcjZZFbKyEjpj\n8I6DjHbwiMi9I10tV41OEt9Ozp+M0V6TYOKNlJTXGxNUHD0lXFJBlS2z/PLQbW/3\n6C9xRkIclve5Uq8J2NmubnR9+NOt/cjPb4EJtMlxySq5cWOqEyq4UirUEfch9HMC\nkLwJ0MPdrDatZqfIv1IvhBiKfyqWV2jds3X60NlmvyGxnrd54dO8/OqNJNmw2BP9\n3aa21asRqB7oPW2H49o2gwDxF6ZEwymAFvU4jvO+BQLRDYTm8GslHyX9kCXWnYHg\nX7gqvek/mu7KqyIB44YyOjGYkVX76El32B08ruKlc+xZ8kFWC1bMzwZNoFEBKO6D\n9QIDAQAB\n-----END CERTIFICATE REQUEST-----"
}

{"ErrorCode"=>1005, "ErrorMessage"=>"The submission failed: Error Parsing Request  ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)", "Return"=>false, "p12Data"=>nil, "certexpdate"=>nil, "serialNo"=>nil}
=> true

But if I create the CSR request from the command line:

openssl req -out mytest.csr -new -newkey rsa:2048 -nodes -keyout mytest.key

Then converted the CSR so replace new line with \n string.

Then prepare a Json payload:

{
  "certTemplate":"MyTemplate",
  "CsrData":"-----BEGIN CERTIFICATE REQUEST-----\nMIIC8zCCAdsCAQAwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEWMBQGA1UE\nBwwNU2lsdmVyIFNwcmluZzELMAkGA1UECgwCRVMxCzAJBgNVBAsMAk1MMSAwHgYD\nVQQDDBcgbXNjbGllbnQ1MS5zYW10ZXN0LmNvbTElMCMGCSqGSIb3DQEJARYWbXNj\nbGllbnQ1MUBzYW10ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAL+X4YJ041JDVfYZr2IXHEAsBc9cbtYxuLa4FkXz+enZYj+9J4qK7zl9OJ7P\nfW29jf82oyQ83RH6XrYcFJKO9cuXgkkQaNV8X6J7sbn87hHUn8xZ1SORd+OPV/ws\nHdOuuv/kQi0S1Rz9Qn7RJiEnQqC14bp50fjJDxxYBVcU/bevlMuFzf8pKQbNfWD5\nbpHHPKpN6uKAXQa2vCqRPAHMvlxCqVHf1Lmy6xojsHGDdqYcYgwG2JB140nOpKtA\nwO9jR5wF7HmqUs/u/fV+p86IaHt6rAxo8WX0Ymu+48DanMdlBqjQ222OthnTbgmD\nbW9j16kNesriu8APSpxW6f7InhsCAwEAAaAYMBYGCSqGSIb3DQEJAjEJDAdNTF9U\nVjJHMA0GCSqGSIb3DQEBCwUAA4IBAQCOxISJbXXQqFmHTwcIP+jaYM1souuptE5l\nhrG/5T1Irz357DABfQpaZkon8dIF8QRpjCY2+b44srGtbKBbnUDAgM5e+qqZjx6X\ng7Yp7LLVW9EplvMYT83M62K9UyNFqjizgXbNIxJRsApLutLBpTpB3vIpQcZYhygf\nfJx/zmN3rD3K47SdaDd9JyD7W3tnAQ1rHEG1uS+Pm9Cq5+Wi8k+nEeGHtQnY5eps\nYqA/g86m4VR5RP0+oTvq3FC57PFqrbv+lwD9brCzjAK/c/QcyBnoxnMNbFVzwhcf\nKAF82Vl9kvwOwyD8sPN19V9ldmZpMhQ/2hsuHxRLAnlwHYhqfl/9\n-----END CERTIFICATE REQUEST-----"
}

the above CSR request works fine.

What am I doing wrong with the ruby code above?

Micheal almost 8 years

Thanks a ton. the gist you provided did not work since it was blocked on my company network. Opened it via phone & tried it. works!
rhashimoto almost 8 years

@Micheal Note that you will likely want to use a signature algorithm other than SHA1, which is now deprecated.
Micheal almost 8 years

thanks, you mean replace sha1 with sha256 or something else above?
rhashimoto almost 8 years

@Micheal Yes, exactly that.