Jason
February 1, 2016, 8:34pm
1
I receive the following error now that I try to get an EC certificate using staging:
Error: urn:acme:error:malformed :: The request message was malformed :: Error unmarshaling certificate request
My CSR is the following:
-----BEGIN CERTIFICATE REQUEST-----
MIICkjCCAhgCAQAwgYoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdGhlbnMxDzAN
BgNVBAcMBkF0aGVuczEOMAwGA1UECgwFSmFzb24xCzAJBgNVBAsMAklUMRMwEQYD
VQQDDAp3aW5wYWNrLmNmMScwJQYJKoZIhvcNAQkBFhh3aW5wYWNramFzb25Ab3V0
bG9vay5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR0aRzxQcjVmz7sZUNGoKjc
JYm+b7dJNtLYbxjjAQww+Y4at6vCT1AIjv9q6em5yOboL4QBkWDL+lebV/6TBveG
NeOS+ZgvUkXMjluVPS+nl+6M46cI+1LVQWCNJzenid6gggEMMIIBCAYJKoZIhvcN
AQkOMYH6MIH3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgP4MCAGA1UdJQEB/wQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBtwYDVR0RBIGvMIGsggp3aW5wYWNrLmNm
gg53d3cud2lucGFjay5jZoIPbWFpbC53aW5wYWNrLmNmgg1teC53aW5wYWNrLmNm
gg5teDIud2lucGFjay5jZoIOd2lucGFjay5ldS5vcmeCEnd3dy53aW5wYWNrLmV1
Lm9yZ4ITbWFpbC53aW5wYWNrLmV1Lm9yZ4IRbXgud2lucGFjay5ldS5vcmeCEm14
Mi53aW5wYWNrLmV1Lm9yZzAKBggqhkjOPQQDBANoADBlAjEAp/t3wm2bZY5zOWz5
VP8T7TSVlMOkpuOVvMMI80t9pYrITTTQ7WBAgdT9jWGPmZSiAjA7dJMgSGx/JGgR
l1paiVqp3YhvG6slC3x6nFwopy4YYbnpP9J4sYzgmDlnOJwSRNE=
-----END CERTIFICATE REQUEST-----
I do not understand: where is the problem?
Osiris
February 1, 2016, 9:22pm
2
I don’t know for sure that’s the problem, but your CSR uses SHA512 as its hash function… Try SHA256 perhaps?
Jason
February 1, 2016, 9:23pm
3
OK, I figured the problem. I had specified some critical extensions that LE wasn’t going to issue, so I fixed that. However, I am now getting:
The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-384 not allowed
@jsha Doesn’t the production server support EC-384 yet?
riking
February 1, 2016, 9:43pm
4
No, the 384 curve is not currently enabled.
Jason
February 1, 2016, 9:45pm
5
May I ask why? And also why staging doesn’t support P-521?
jsha
February 1, 2016, 9:52pm
6
We haven’t yet made the necessary config changes following last week’s deploy. We will get to it, but we have a lot of higher priorities this week.
Jason
February 1, 2016, 9:54pm
7
May I also ask exactly what KeyUsages are allowed by LE?
jsha
February 1, 2016, 10:10pm
8
Details are on the other thread: ECDSA testing on staging . We will support Digital Signature. Part of the delay was the requisite code change to support different KeyUsages for different types of EE certs.
Hi, is there an issue for the KeyUsages changes?
I can not find it and it is not related to the EC Milestone.
Osiris
February 2, 2016, 6:27pm
10
I think yes, i did not know that it is called CFSSL and found no link from the EC thread.
Thanks for the reply.