Failed to parse CSR when adding client certificate. (Code: 1462)

Hi all,

The new requirements (https://support.apple.com/en-gb/103769) for TLS in Apple iOS 13 states that:

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

I cannot find a way to generate a client certificate using cloudflare which includes the SAN. (I am using the free plan)

Instead, I have generated my own CSR using openssl which I’d like to use with cloudflare; this includes the SAN to meet Apple’s requirements. I have selected “Create Certificate” under Websites > SSL/TLS > Client Certificates and then ticked the “Use my private key and CSR” checkbox.

After pasting in my CSR and clicking create, I get the following error: Failed to parse input CSR. Please check your input and try again. (Code: 1462). I cannot find code 1462 in the documentation. https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/reference/status-codes/custom-csrs/)

My csr.pem is formatted like this:

-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgIUYfo/MYjKzaWbazsxcpeJdf8NRdE
[........]
FDMESRP/RxXYK6+dac/JUtSJ5sHl5jDZ433NaE/wN+ALO
-----END CERTIFICATE-----

I have also tried using -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- but to no avail.

For reference here is the decoded csr.pem:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:fa:3f:31:88:ca:cd:a5:9b:6b:3b:31:72:97:89:75:ff:0d:45:d1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = State, L = City, O = Organization, OU = Department, CN = [DOMAIN]
        Validity
            Not Before: Feb  2 21:27:35 2024 GMT
            Not After : Feb  1 21:27:35 2026 GMT
        Subject: C = US, ST = State, L = City, O = Organization, OU = Department, CN = [DOMAIN]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e6:6c:f9:f7:88:8d:c0:08:36:7e:55:4c:70:64:
                    [........]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                EB:85:DC:FD:9A:F2:B8:5D:A0:6E:66:1F:6A:16:BC:A4:6D:E2:27:2E
            X509v3 Authority Key Identifier:
                keyid:EB:85:DC:FD:9A:F2:B8:5D:A0:6E:66:1F:6A:16:BC:A4:6D:E2:27:2E

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Alternative Name:
                DNS:[DOMAIN]
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         85:11:13:83:fc:fd:a4:c5:17:c1:4c:1f:12:58:9c:45:77:85:
         [........]

TIA

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.