How to fix a missing NULL value in a CSR

Problem

Your CSR is not properly formatted because it is missing a NULL value.

Possible Error Messages:

When your CSR is missing a NULL value, you might see one of these error messages:

  • The submitted CSR is not a properly formatted CSR. Generate and submit a valid CSR.

  • The CSR is missing a NULL value in its AlgorithmIdentifier parameter.

Cause

The CSR is missing a NULL value in the OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) field. To be compliant with RFC 3279, this field must contain a NULL value.

"The rsaEncryption OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field MUST have ASN.1 type NULL for this algorithm identifier."

To learn more about RFC 3279, click here.

Example of a Valid CSR with a NULL Value

SEQUENCE	{
  OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
  (PKCS #1)
  NULL
  }

Example of an Invalid CSR without the NULL Value

SEQUENCE	{
  OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
  }

Solutions

1) Update Your PHP Libraries

Are you using the third-party phpseclib library to create your CSR? The simplest solution may be to update your PHP libraries. The most current version of the phpseclib library includes the required NULL value fields by default.

After the library update is complete, generate a new CSR and submit it.

2) Use the DigiCert Certificate Utility or OpenSSL to Generate Your CSR

Generate a new CSR with our DigiCert® Certificate Utility for Windows or OpenSSL. Most platforms include the required NULL value in the OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) field by default.

DigiCert Certificate Utility for Windows

Do you have access to a Microsoft-based server or workstation? Then use our DigiCert Certificate Utility to create your CSR. See CSR Creation Instructions for Microsoft Servers.

OpenSSL

Want to use OpenSSL to generate your CSR? Then use our OpenSSL CSR Wizard to create your CSR for Apache (or any platform). See OpenSSL CSR Creation.

Another Available Workstation

Need to use a different server type or prefer to use the server or applications's native OS to create your CSR? See Create a CSR (Certificate Signing Request).

3) Modify the Third-Party phpseclib Library

Are you using the third-party phpseclib library to create your CSR? Need to stay on an older version of the PHP libraries? You may need to replace the following statements/lines in the x509.php and ASN1.php files.

Note: This solution may not be permanent. Library updates, software updates, etc. may overwrite your modifications. In other words, you may need to repeat these steps following certain software changes.

After modifications are complete, generate a new CSR and submit it.

File Name: x509.php

Look for this function


    function saveCSR($csr, $format = FILE_X509_FORMAT_PEM)

    {

        if (!is_array($csr) || !isset($csr['certificationRequestInfo'])) {

            return false;

        }



        switch (true) {

            case !($algorithm = $this->_subArray($csr, 'certificationRequestInfo/subjectPKInfo/algorithm/algorithm')):

           case is_object($csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']);

                break;

            default:

                switch ($algorithm) {

                    case 'rsaEncryption':

                        $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']

                            = base64_encode("\0" . base64_decode(preg_replace('#-.+-|[\r\n]#', '', $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'])));

                }

        }

Replace function with this (added code in red)


    function saveCSR($csr, $format = FILE_X509_FORMAT_PEM)

    {

        if (!is_array($csr) || !isset($csr['certificationRequestInfo'])) {

            return false;

        }



        switch (true) {

            case !($algorithm = $this->_subArray($csr, 'certificationRequestInfo/subjectPKInfo/algorithm/algorithm')):

            case is_object($csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']):

                break;

            default:

                switch ($algorithm) {

                    case 'rsaEncryption':

                        $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey']

                            = base64_encode("\0" . base64_decode(preg_replace('#-.+-|[\r\n]#', '', $csr['certificationRequestInfo']['subjectPKInfo']['subjectPublicKey'])));

                        $csr['certificationRequestInfo']['subjectPKInfo']['algorithm']['parameters'] = null;

                        $csr['signatureAlgorithm']['parameters'] = null;

                        $csr['certificationRequestInfo']['signature']['parameters'] = null;

                }

        }

File Name: ASN1.php

Look for this function


        foreach ($mapping['children'] as $key => $child) {

            if (!isset($source[$key])) {

                if (!isset($child['optional'])) {

                    return false;

                }

                continue;

            }

Replace function with this (added code in red)


        foreach ($mapping['children'] as $key => $child) {

            if (!array_key_exists($key, $source)) { 

                if (!isset($child['optional'])) {

                    return false;

                }

                continue;

            }