JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


CSR analysis failed

While placing your order, you may encounter this kind of error message: CSR analysis failed.

CERTIFICATE REQUEST

Make sure the chain of characters you have pasted in the order form looks like:

-----BEGIN CERTIFICATE REQUEST-----
t9iZCa9PobnjK8j6FQz0MH1LLiLvCzLQAtcipm8DDT4H8q5M0F7+xWbQZuTiZYCg
...
MFoXDTEyMDUwNTIzNTk1OVoweTELMAkGA1UEBhMCRlIxFjAUBgNVBAgTDUlsZS1k
-----END CERTIFICATE REQUEST-----


If not, the file is not the one expected.

Renewal under IIS7

A CSR generated by Microsoft Internet Information Server for a renewal may cause an analysis error in our interface. Indeed, Microsoft Technet explains that this procedure should only be used for the renewal of Microsoft self-signed certificates.

for a IIS7 server, we advise to follow the procedure described here, even for a renewal:
http://www.tbs-certificats.com/FAQ/en/447.html

Convert the renewal request generated by IIS7
Certificate Request #PKCS7 - DER to CSR in #PKCS10 format - PEM

If you absolutely need to used the file generated for a IIS internal renewal, you'll have to extract the CSR in #PKCS10 format from the #PKCS7 format used by Microsoft.
To do so, here is the command to execute with OpenSSL:

openssl asn1parse -in file-iis7.csr -strparse $(openssl asn1parse -in file-iis7.csr | grep -A2 ':pkcs7-data'|tail -1|cut -d: -f1) -out /dev/stdout -noout | openssl req -inform DER -out file-csr-pem.csr

On Windows environments, you'll have to proceed in several steps:

  • Display the file structure:
    openssl asn1parse -in file-iis7.csr -i


    This command must display lines as below. spot:
    ":pkcs7-data",
    then:
    "58:d=5 hl=4 l=1870 prim: OCTET STRING [HEX DUMP]:3082074A..."
     0:d=0  hl=4 l=3391 cons: SEQUENCE          
        4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
       15:d=1  hl=4 l=3376 cons:  cont [ 0 ]        
       19:d=2  hl=4 l=3372 cons:   SEQUENCE          
       23:d=3  hl=2 l=   1 prim:    INTEGER           :01
       26:d=3  hl=2 l=  11 cons:    SET               
       28:d=4  hl=2 l=   9 cons:     SEQUENCE          
       30:d=5  hl=2 l=   5 prim:      OBJECT            :sha1
       37:d=5  hl=2 l=   0 prim:      NULL              
       39:d=3  hl=4 l=1889 cons:    SEQUENCE          
       43:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
       54:d=4  hl=4 l=1874 cons:     cont [ 0 ]        
       58:d=5  hl=4 l=1870 prim:      OCTET STRING      [HEX DUMP]:3082074A30
    


  • Spot the line number, in our example: 58
    You can then extract the DER CSR.

    openssl asn1parse -in file-iis7.csr -strparse 58 -out csr.der


  • Finaly, convert the DER encoded CSR into PEM #PKCS10 format:
    openssl req -inform der -in csr.der -out mynewcsr.csr