Help with the API

[Hoyle]

We're having problems with the API and wanted to see if anyone had any suggestions.

We're trying to generate certificates through our Ruby on Rails website using the HTTParty gem and our r509 certificate authority. However, we keep getting the message "CA not found". The helper page works. Feel free to try it (http://104.131.33.253/test/certificate/issue).

Below is the code my RoR guy has been trying. Any thoughts?

Thanks in advance!

---

require 'httparty'

csr =
-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
/YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+
3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----

subject = "subject[CN]=wificert&subject[C]=US&subject[ST]=NY&subject[L]=New York&subject[O]=Wifi"

options = {
"ca" => "r509_howto_ca",
"profile" => "server",
"validityPeriod" => "31536000",
"subject" => subject,
"csr" => csr
}

response = HTTParty.post("http://104.131.33.253/1/certificate/issue", options)

puts response.inspect

[reaperhulk]

I'm not sure how HTTParty parses POST options but you may need to make that

options = {
"ca" => "r509_howto_ca",
"profile" => "server",
"validityPeriod" => "31536000",
"subject[CN]" => "wificert",
"subject[C]" => "US",
<rest of the subject[] items here>
"csr" => csr
}

[Hoyle]

Thanks!

We will try it and let you know.

[Hoyle]

This is the latest error message we're getting:

OpenSSL::X509::RequestError: header too long

Any ideas?

Thanks!

[reaperhulk]

That implies something wrong with the CSR you're providing for signing. Make sure it's not being reformatted compared to the POST command that the sample page is sending. Essentially you need to exactly duplicate that.

[Hoyle]

Sorry for the delay. It was a problem with the HTTParty gem. Sorry about that and thanks for your help.

I have some more questions if you have the time. We're creating a front-end website that allows users to generate certificates through the r509 API. However, unless I missed it, r509 does not have an API to generate a CSR. What can we do (and still be considered following best practice) to generate a CSR?

In case it helps to have some background, we want to eventually have the website users download the certificates as PKCS12 formatted files, which will be used for controlling network access. As I understand it, r509 will need access to the private key to save the certificates in a PKCS12 format, as you talked about in another question: r509/r509#78.

However, as I stated in the beginning, I'm not sure how to use r509 to create the CSR, and if having the CA create the CSR and having access to the private key is considered best practice. Sorry, I'm at the outer edges of my PKI understanding...

Thanks for your help again!