Re: [pyOpenSSL] Basic CSR signing issues...

[Jean-Paul C. <ex...@di...>]

On Mon, 3 Nov 2008 16:25:55 -0500, Joshua 'jag' Ginsberg <lis...@fl...> wrote:
>(apologies if this ends up double-posting -- I sent this 5 hours ago
>and it hasn't shown up in the archives yet, so I'm not sure it went
>out at all...)
>
>What am I doing wrong? Why can't I load my cert back into PyOpenSSL?
>

I'm not certain, but I suspect the issue is that you didn't explicitly set
the notBefore and notAfter attributes on the certificate.  I'm not sure
why the OpenSSL.crypto.Error doesn't provide this information, but if you
run this openssl command line:

    openssl x509 -in my.crt -text

then this error is produced:

    unable to load certificate
    13042:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:
    13042:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1281:
    13042:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:208:Type=ASN1_TIME
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=notBefore, Type=X509_VAL
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=validity, Type=X509_CINF
    13042:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509
    13042:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

It's similar to the one you get from pyOpenSSL (complaining about a "too
long" ASN1 thing somewhere, with lots of nesting and such) but notice that
it also includes the names of the fields which were on the parse stack at
the time of the error, something omitted from the pyOpenSSL exception.  Once
I noticed that, I checked your code and saw that you weren't setting the
validity dates, hence my suspicion.

Jean-Paul