KB Article #180841

CERTIFICATES: Unable to complete a pending Certificate Signing Request (CSR)

Problem

When completing a pending CSR in SecureTransport by importing the certificate signed by a third-party Certificate Authority (CA), the import might fail and the following messages might be observed in the Server Log:


com.tumbleweed.st.server.api.CertificateCreateException: 
com.tumbleweed.st.server.api.NoSuchCertificateException: CSR not found: 
null / 0x_SOME_HASH_ID


Resolution

A certificate signing request is an unsigned copy of a certificate that you submit to a CA when requesting a signed certificate. In order to import the signed certificate and complete the pending CSR in ST, it is required that the public key of the signed certificate and the CSR must have an identical modulus. Using the openssl tool you can compare the moduli.


1. Calculate the modulus of the pending CSR issued by SecureTransport

Run this command:


openssl req -noout -modulus -in csr.req


The output should look like this:


Modulus=A383E18771A8055099CD312933828DD41E72BB8B4DD9E51EDA64A6C75E0193BC2B6A5A5F4B49F5D8AA14864E8760286D6FD90CDEF05F12CBBEEFE68F6D05305FD81262DD8BFBFDA8A568E5F5A1C9FA944C0F39F90E5E411CCFEACEFD50BBB29121C68CF8E3C3193003775E42E4A09300F96C9DF2CE8BF7F73B35FCD685FAE44A20DC581E84F15C17AB3689462526461BD9BC85852A949308DBDAF306189095CB0F0A1228A38CBEA4633F206940DD18FC66C3942735F404358173AF7450F8A0C0D4D2263D53361F94233FD19DDEA8EFB22C1BD9881DFC714FEB419B9AA39748A5A0F71CE6419ED0FA297FB68F5C2D95F0680E61D78A186CA5599AB33DA38FAAA3



2. Calculate the modulus of the signed certificate provided by the 3rd party Certificate Authority

Run this command:


openssl x509 -noout -modulus -in signed_certificate.crt


The output must match the output from step 1. If not, the signed certicicate and the CSR do not belong to each other and you'll need to re-submit the CSR (or a new CSR) to the Certificate Authority to re-sign it.


TIP: For easier comparison, you can combine both commands above and use the check the MD5 sums of the output strings:


openssl req -noout -modulus -in csr.req | md5sum ;\openssl x509 -noout -modulus -in signed_certificate.crt | md5sum

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.