Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.7.0/2.8.0] Error: duplicate extensions occurred while loading CSR. #623

Open
kokko4102 opened this issue Jan 12, 2025 · 3 comments
Open

[2.7.0/2.8.0] Error: duplicate extensions occurred while loading CSR. #623

kokko4102 opened this issue Jan 12, 2025 · 3 comments

Comments

@kokko4102
Copy link

When signing a CSR I get a "duplicate extensions" error.

  1. Load the CSR.
  2. Right-click the loaded CSR and select "Sign".
  3. Select a template in the [Source] tab and press the [Apply extensions] button.
  4. the following error occurs in the [Advanced] tab.

Error: duplicate extensions:
X509v3 Basic Constraints
X509v3 Key Usage
X509v3 Subject Alternative Name
v280_Advanced01

After pressing [OK], the following warning will appear.

The certificate contains invalid or duplicate extensions.
Check the validation on the advanced tab.
v280_Advanced02

My CSR was created using FortiGate.
It seems to occur in v2.7.0 and v2.8.0.
This error did not occur in v2.6.0. The screenshot below shows the Advanced tab for v2.6.0.
v260_Advanced01

I will send you CSR so you can check them out.
The CSR information is as follows:

Certificate Name: TestCA_208_Server
Common Name: server01.example-uuu1.com
Organization Unit: UTM
Organization: Security
Locality(City): Shibuya
State / Province: Tokyo
Country / Region: Japan(JP)
E-Mail: [email protected]
Subject Alternative Name: DNS:server01.example-uuu1.com
Password for private key: password
Key Type: RSA
Key Size: 2048bit
TestCA_Server.zip
@chris2511
Copy link
Owner

The CSR and the template contain the same extensions:

  • X509v3 Basic Constraints
  • X509v3 Key Usage
  • X509v3 Subject Alternative Name

Putting them both into the final certificate is not allowed and XCA does not know, which extension to use.

  • Solution 1: Unselect "Copy extensions from the request" in the Source tab, which ignores all extensions from the request
  • Solution 2: Set "Basic Constraints" type to "Not defined", unselect all entries in the "Key Usage" box and clear the SAN input field.
    In this case you should review the request-extensions whether they are acceptable.

You may derive a new template from one of the default templates and erase those entries if you need to sign that type of requests more often.

@chris2511
Copy link
Owner

The fact that v2.6.0 did not show the error was a bug

@kokko4102
Copy link
Author

Thank you for your quick response.
Following your solution I was able to avoid the error.
In addition, I understood that the movement of v2.6.0 was a bug.
Because I thought your solution 2 reflected accurate CSR information, I decided to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chris2511 @kokko4102