Certificate signing requests generated with keytool on Linux generate CRLF at the end. This is a regression to JDK 7, which used plain '\n' to separate lines. This is an interoperability issue with non-Java tools.
Steps to Reproduce:
$ keytool -genkeypair -alias dummy -keyalg RSA -keysize 2048 \
-sigalg SHA256withRSA \
-dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
-validity 3652 -keypass passphrase -keystore keystore \
-storepass passphrase
$ keytool -keypass passphrase -storepass passphrase -certreq -v -alias dummy -keystore keystore -file csr.txt
$ file csr.txt
csr.txt: RFC1421 Security Certificate Signing Request, ASCII text, with CRLF, LF line terminators
Note the "CRLF, LF line terminators" output of file.
Expected:
$ file csr.txt
csr.txt: RFC1421 Security Certificate Signing Request, ASCII text
A plain "jtreg"-like Java test showing the issue is attached.
Expected output:
DEBUG: Verifying whether cert request is consistent with platform CRLF...
'-----BEGIN NEW CERTIFICATE REQUEST-----'
'MIICwDCCAagCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDdXBlcnRp'
'bm8xDjAMBgNVBAoTBUR1bW15MQ4wDAYDVQQLEwVEdW1teTEaMBgGA1UEAxMRZHVtbXkuZXhhbXBs'
'ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJyPx5CunOuNreAlp82l0Bv0N9'
'WqmvTZYSMe0YaiBFCWdc18P8Ax+9d67Z/FU+5X/sZoFm5Ei9X8Scn0WoKBuIU2n9sPiYuU3OQNEC'
'E14frpsXxScognmUcgFIGrdI9ZxxW75zxxsPtezEghSGBSrVEY7aget39/SxyjVzXUxB/T0MUsMH'
'2CnM+L/IHWeKBvGz+FtLeGQeBerlHnf0rdHQjoN+M1nB3U0TvDRYTxToXXX2tQ2aj42xhYYPE0h/'
'aKqi0t+evnx1MwrwfED0lPzXb2FzKJTaHx9u/BS9OUgjUH6jv7/JiFn9o3IH/yAEtBfLJ1d0u27W'
'hW3j3M6N6GSzAgMBAAGgETAPBgkqhkiG9w0BCQ4xAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBBsZDc'
'ZtdQivvar3iU9/tnQpTUWalF0t2xgNXyD4JBpMWceRBCJHE1LJeeOHM7L1IVO8UcrIorF6eaXk5b'
'82TXenQaVsnCenhISLF1AMjzghsiqNoqvHGbzH1wWhjQKF80+Cqd0DY8XyS8rx6p5tsWGg3KyqR7'
'i+OY0UfG7C3dW2gJijFw0XMf+Sg/5ZbUCx1VfjkOMpv3Za896jc1bk14BSew4WIFAxJXtleXV7c8'
'hW2IgWa7VbpqtgCNwymn37j2bdCNBSXKEFsaq6RQeqxxLcLg9937A8HOOGxqUL0Jcj/FveDbAucn'
'SG5zqXKkTRA1jMvSv8cAfYGEZ33W1jPg'
'-----END NEW CERTIFICATE REQUEST-----'
Test passed!
Actual output:
DEBUG: Verifying whether cert request is consistent with platform CRLF...
'-----BEGIN NEW CERTIFICATE REQUEST-----'
'MIICwDCCAagCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
'
Exception in thread "main" java.lang.Exception: Test failed! Got CR in certificate request. Expected only \n
at SystemLineEndingCertReqTest.main(SystemLineEndingCertReqTest.java:79)