Problem Issuing EC-384 Certificate


#1

I receive the following error now that I try to get an EC certificate using staging:

Error: urn:acme:error:malformed :: The request message was malformed :: Error unmarshaling certificate request

My CSR is the following:

-----BEGIN CERTIFICATE REQUEST-----
MIICkjCCAhgCAQAwgYoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdGhlbnMxDzAN
BgNVBAcMBkF0aGVuczEOMAwGA1UECgwFSmFzb24xCzAJBgNVBAsMAklUMRMwEQYD
VQQDDAp3aW5wYWNrLmNmMScwJQYJKoZIhvcNAQkBFhh3aW5wYWNramFzb25Ab3V0
bG9vay5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR0aRzxQcjVmz7sZUNGoKjc
JYm+b7dJNtLYbxjjAQww+Y4at6vCT1AIjv9q6em5yOboL4QBkWDL+lebV/6TBveG
NeOS+ZgvUkXMjluVPS+nl+6M46cI+1LVQWCNJzenid6gggEMMIIBCAYJKoZIhvcN
AQkOMYH6MIH3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgP4MCAGA1UdJQEB/wQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBtwYDVR0RBIGvMIGsggp3aW5wYWNrLmNm
gg53d3cud2lucGFjay5jZoIPbWFpbC53aW5wYWNrLmNmgg1teC53aW5wYWNrLmNm
gg5teDIud2lucGFjay5jZoIOd2lucGFjay5ldS5vcmeCEnd3dy53aW5wYWNrLmV1
Lm9yZ4ITbWFpbC53aW5wYWNrLmV1Lm9yZ4IRbXgud2lucGFjay5ldS5vcmeCEm14
Mi53aW5wYWNrLmV1Lm9yZzAKBggqhkjOPQQDBANoADBlAjEAp/t3wm2bZY5zOWz5
VP8T7TSVlMOkpuOVvMMI80t9pYrITTTQ7WBAgdT9jWGPmZSiAjA7dJMgSGx/JGgR
l1paiVqp3YhvG6slC3x6nFwopy4YYbnpP9J4sYzgmDlnOJwSRNE=
-----END CERTIFICATE REQUEST-----

I do not understand: where is the problem?


#2

I don’t know for sure that’s the problem, but your CSR uses SHA512 as its hash function… Try SHA256 perhaps?


#3

OK, I figured the problem. I had specified some critical extensions that LE wasn’t going to issue, so I fixed that. However, I am now getting:

The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-384 not allowed

@jsha Doesn’t the production server support EC-384 yet?


#4

No, the 384 curve is not currently enabled.


#5

May I ask why? And also why staging doesn’t support P-521?


#6

We haven’t yet made the necessary config changes following last week’s deploy. We will get to it, but we have a lot of higher priorities this week.


Let's Encrypt blog post feedback
#7

May I also ask exactly what KeyUsages are allowed by LE?


#8

Details are on the other thread: ECDSA testing on staging. We will support Digital Signature. Part of the delay was the requisite code change to support different KeyUsages for different types of EE certs.


#9

Hi, is there an issue for the KeyUsages changes?
I can not find it and it is not related to the EC Milestone.


#10

Do you mean Switch between CFSSL profiles based on EE cert type #1384 and Allow CFSSL profiles to be selected by key type #1389?


#11

I think yes, i did not know that it is called CFSSL and found no link from the EC thread.
Thanks for the reply.