picture of tbs certificates
picture of tbs certificates
Our products range

CSR analysis failed

While placing your order, you may encounter this kind of error message: CSR analysis failed.


Make sure the chain of characters you have pasted in the order form looks like:


If not, the file is not the one expected.

Renewal under IIS7

A CSR generated by Microsoft Internet Information Server for a renewal may cause an analysis error in our interface. Indeed, Microsoft Technet explains that this procedure should only be used for the renewal of Microsoft self-signed certificates.

for a IIS7 server, we advise to follow the procedure described here, even for a renewal:

Convert the renewal request generated by IIS7
Certificate Request #PKCS7 - DER to CSR in #PKCS10 format - PEM

If you absolutely need to used the file generated for a IIS internal renewal, you'll have to extract the CSR in #PKCS10 format from the #PKCS7 format used by Microsoft.
To do so, here is the command to execute with OpenSSL:

openssl asn1parse -in file-iis7.csr -strparse $(openssl asn1parse -in file-iis7.csr | grep -A2 ':pkcs7-data'|tail -1|cut -d: -f1) -out /dev/stdout -noout | openssl req -inform DER -out file-csr-pem.csr

On Windows environments, you'll have to proceed in several steps:

  • Display the file structure:
    openssl asn1parse -in file-iis7.csr -i

    This command must display lines as below. spot:
    "58:d=5 hl=4 l=1870 prim: OCTET STRING [HEX DUMP]:3082074A..."
     0:d=0  hl=4 l=3391 cons: SEQUENCE          
        4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
       15:d=1  hl=4 l=3376 cons:  cont [ 0 ]        
       19:d=2  hl=4 l=3372 cons:   SEQUENCE          
       23:d=3  hl=2 l=   1 prim:    INTEGER           :01
       26:d=3  hl=2 l=  11 cons:    SET               
       28:d=4  hl=2 l=   9 cons:     SEQUENCE          
       30:d=5  hl=2 l=   5 prim:      OBJECT            :sha1
       37:d=5  hl=2 l=   0 prim:      NULL              
       39:d=3  hl=4 l=1889 cons:    SEQUENCE          
       43:d=4  hl=2 l=   9 prim:     OBJECT            :pkcs7-data
       54:d=4  hl=4 l=1874 cons:     cont [ 0 ]        
       58:d=5  hl=4 l=1870 prim:      OCTET STRING      [HEX DUMP]:3082074A30

  • Spot the line number, in our example: 58
    You can then extract the DER CSR.

    openssl asn1parse -in file-iis7.csr -strparse 58 -out csr.der

  • Finaly, convert the DER encoded CSR into PEM #PKCS10 format:
    openssl req -inform der -in csr.der -out mynewcsr.csr