ASN.1 parse asn1 parse error with openssl ca module, but no issues reported by x509 module or asn1parse module

[Andy Wood]

Hi, I've run into an issue trying to automate issuing certificates for a handful of hosts on my intranet using a local root CA.

I'm not very experienced with openssl, I've been following the documentation here which has been very helpful and pretty straight-forward, but I'm running into trouble trying to automate the process.
There's every chance this is some silly mistake in my config file I've overlooked or something, but I'm finding the issue pretty un-googlable so I'm not sure where else to turn.

I've been able to automate the issuing and collecting of CSRs from the various hosts on my intranet, but when I try to sign the collected hosts, the openssl ca module reports an asn1 parse error with the CSRs:
343FF376:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1221: 343FF376:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:375:Type=X509_REQ error: unable to load certificate request from file '/usr/local/share/csr-signing/csr/rhyolite.houseof.rocks.csr.pem'

I've tried running the command line my automation is using by hand and I can reproduce the issue reliably, but when I run openssl x509 -text, or openssl asn1parse, neither of those modules has any issue parsing and reading back the structure of the CSR. I'm not sure what's happening with the ca module that causes it to report an asn1 parse error, when the asn1 parser by itself seems to have no issue.

I've uploaded a terminal log of the described behavior, plus one of the culprit CSRs and my openssl ca config to my public webserver for reference:

https://pdxlents.online/openssl_misbehavior.txt
https://pdxlents.online/openssl.cnf
https://pdxlents.online/rhyolite.houseof.rocks.csr.pem

Any advice or hints about what to try would be greatly appreciated!

[Viktor Dukhovni]

On Thu, Feb 26, 2026 at 11:55:49PM -0800, Andy Wood wrote:

> I've tried running the command line my automation is using by hand and I
> can reproduce the issue reliably, but when I run openssl x509 -text,

The `openssl x509` command prints certificates, not CSRs.
To print a CSR you need to use `openssl req`.

> I've uploaded a terminal log of the described behavior, plus one of the
> culprit CSRs and my openssl ca config to my public webserver for reference:
> https://pdxlents.online/openssl_misbehavior.txt
> https://pdxlents.online/openssl.cnf
> https://pdxlents.online/rhyolite.houseof.rocks.csr.pem

The last of these holds a certificate, not a CSR.

$ curl -sLo - 'https://pdxlents.online/openssl_misbehavior.txt'
basalt:~# /usr/bin/openssl ca -config /root/ca/intermediate/openssl.cnf \
-passin file:/tmp/ansible.3s7lximp -extensions server_cert -days 375 \
-notext -md sha256 -in /usr/local/share/csr-signing/csr/rhyolite.houseof.rocks.csr.pem \
-out /usr/local/share/csr-signing/cert/rhyolite.houseof.rocks.cert.pem

Well, that '-in' file does not hold a CSR.

basalt:~# openssl x509 -in /usr/local/share/csr-signing/csr/rhyolite.houseof.rocks.csr.pem -inform pem -text -noout

And there you are showing it holds a certificate...

Certificate:
Data:
Version: 3 (0x2)
...

--
Viktor. 🇺🇦 Слава Україні!

[Andy Wood]

Thank you much, that was the clue I needed! ^^