What does a0:00 in a CSR's Attributes field mean?

Question

What does a0:00 in a CSR's Attributes field mean? (is it null or empty?)

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (... bit)
                Modulus: ...
                Exponent: ...
        Attributes:
            a0:00

On a related note, should this field show up even when my config file does not even mention the supposed Attributes field?

[ req ]
default_bits       = ...
default_md         = ...
default_keyfile    = ...
distinguished_name = d_name
string_mask        = ...

[ d_name ]
...

Probably relevant: https://www.openssl.org/docs/man1.0.2/man1/req.html#DIAGNOSTICS — Håkan Lindqvist, Aug 17 '20 at 10:44
why don't you add this as the answer? it would be perfect if you also copy over the relevant data, just leaving the link is frowned upon — hanzo2001, Aug 17 '20 at 12:18

score 6 · Accepted Answer · answered Aug 17 '20 at 14:07

Taken from openssl.org

Attributes:
            a0:00

is displayed when no attributes are present and the request includes the correct empty SET OF structure (the DER encoding of which is 0xa0 0x00).

If that fields shows as empty, then the SET OF is missing and the encoding is technically invalid (but it is tolerated).

This is relevant because some (very few) CA require the non-standard-compliant version (eg empty, as in no empty SET OF).

Credits for this to the original commenter.

I was waiting for Hakan to add his comment as an answer but I'll guess yours will have to do — hanzo2001, Aug 17 '20 at 14:12

What does a0:00 in a CSR's Attributes field mean?

1 Answers1