Internal - Failed Lint Check Exponential Error

June 28, 2018

[x509lint] WARNING: RSA public exponent not in range of 2^16+1 to 2^256-1

[zlint] WARNING: RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1

These errors are caused by the exponent of CSR being smaller then 65537 2^16 + 1) or 1.157920892373 X 10^77 which is a huge number but 65537 is an accepted number to be used.

The order in SASP will be rejected for this reason.

The fix is to have the customer generate a new CSR with the exponent being the minimum of 65537 and we can unreject the order and upload the new CSR.

IIS will generate a CSR with 65537 there is no way to edit this.

Using OpenSSL with the right commands in the wrong places can also generate the exponent incorrectly.

This is the correct command to generate a CSR using OpenSSL openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

You can check the CSR by using openssl:

openssl req -text -noout -in ( Full Path to the CSR include file extension such as .req .csr .txt, etc, etc)

The CSR must contain -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----

Incorrect Exponent

Correct Exponent

Robin previously stated within Mozilla’s Bugzilla : “Currently the only reason that we consider to be a false positive is: '[x509lint] ERROR: Name entry contains an invalid type' and the reason we need to FP that is that for certain customers we add in an unstructuredName attribute to the certificate subject. The content of that field is identical to the commonName.”

Robin previously stated within Mozilla’s Bugzilla : “Currently the only reason that we consider to be a false positive is: '[x509lint] ERROR: Name entry contains an invalid type' and the reason we need to FP that is that for certain customers we add in an unstructuredName attribute to the certificate subject. The content of that field is identical to the commonName.”