How to encode request password in certificate request
I am using linux version of openssl req to generate csr password with password prompt, everything is going well except it cannot print this attribute:
# openssl req -new -key private.key -out server.csr
# openssl req -in server.csr -noout -text
Certificate Request: ...
Attributes:
challengePassword :unable to print attribute ...
I tested with OpenSSL 1.0.1j on Fedora and OpenSSL 1.0.1 on ubuntu, both cannot write challengePassword to csr file.
But if I am using windows version, it might work:
# openssl req -in test.csr -noout -text
Certificate Request:
...
Attributes:
challengePassword :00F7FC7937B5366F2231AC891472998C
... I am using 64 bit opensl from SCEP tool :
Then I searched openssl doc and found this suggestion:
attributes
this indicates a section containing any attributes of the request: its format matches the distinguished name. They can usually contain challengePassword or unstructured types. They are currently ignored by the OpenSSL request signing utilities, but some CAs may want them .
Yes, some CAs might want them. I am using NDES windows 2008 r2, it needs a password to request, it looks like it cannot be generated by openssl req app, can I use openssl C or python / perl API? Or do I need to fix the openssl code?
I also asked this question in the sscep issue list, they told me I need to encode the password for the BMPString request. But I don't know how to code it. Can anyone give me a guide?
source to share
Let me answer my own question myself.
To include the request password attribute in the CSR, we need to write a printable ASN string, but the openssl req utility writes MBSTRING_ASC by default, so it always returns ": cannot print attribute ..."
Here's some sample C code:
Convert the string MBSTRING_ASC to ASN1_PRINTABLESTRING:
ASN1_STRING *tmp_os = M_ASN1_PRINTABLESTRING_new();
tmp_os->type = V_ASN1_PRINTABLESTRING;
int password_length = strlen(challenge_password);
ASN1_STRING_set(tmp_os, (const unsigned char *)challenge_password, password_length);
Add attributes to request:
X509_REQ_add1_attr_by_NID(req, NID_pkcs9_challengePassword, tmp_os->type, tmp_os->data, password_length);
source to share