Bug 1.0.1f - selfsign ignores email_in_dn setting

ben@xxxxxxx (Ben Humpert) · Tue, 30 Jun 2015 18:32:32 +0200

2015-06-24 1:35 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
> On 19/06/2015 16:24, Ben Humpert wrote:
>>
>> When the CSR contains an email address and the email_in_dn setting in
>> the config file is set to "no" the email address is actually present
>> in the issuer DN but not in the subject DN. This causes errors when
>> verifying certificate chains since the subject hash is used to
>> identify a cert but the issuer hash is different.
>
> Are you sure, I have not seen this behavior in current
> versions when making self-signed certificates, could
> you provide step by step reproduction procedures to
> cause this misbehavior?

I have the openssl.cnf attached.

##### Step-By-Step below #####

cd /etc/ssl/
mv /etc/ssl/ca /etc/ssl/ca_orig
mkdir -p /etc/ssl/ca/db /etc/ssl/ca/private /etc/ssl/ca/certs
/etc/ssl/ca/crl /etc/ssl/ca/out /etc/ssl/ca/reqs
chmod 700 /etc/ssl/ca/private
cp /dev/null /etc/ssl/ca/db/RootCA.db
cp /dev/null /etc/ssl/ca/db/RootCA.db.attr
openssl rand -hex 16  > /etc/ssl/ca/db/RootCA.crt.srl
echo 1001 > /etc/ssl/ca/db/RootCA.crl.srl
cd /etc/ssl/ca/

openssl req -new -out /etc/ssl/ca/RootCA.csr
openssl ca -selfsign -in /etc/ssl/ca/RootCA.csr -out
/etc/ssl/ca/RootCA.crt -notext -startdate 150101000000Z -enddate
191231235959Z

ln -s /etc/ssl/ca/RootCA.crt /etc/ssl/certs/`openssl x509 -hash -noout
-in RootCA.crt`.0

openssl verify /etc/ssl/ca/RootCA.crt

ln -s /etc/ssl/ca/RootCA.crt /etc/ssl/certs/`openssl x509 -issuer_hash
-noout -in RootCA.crt`.0

openssl verify /etc/ssl/ca/RootCA.crt

##### Step-By-Step above #####

##### Cleanup below #####

cd /etc/ssl/
rm -rf /etc/ssl/certs/`openssl x509 -hash -noout -in RootCA.crt`.0
rm -rf /etc/ssl/certs/`openssl x509 -issuer_hash -noout -in RootCA.crt`.0
rm -rf /etc/ssl/ca
mv /etc/ssl/ca_orig /etc/ssl/ca

##### Cleanup above #####

You cannot verify this certificate. OpenSSL always returns >> error 20
at 0 depth lookup:unable to get local issuer certificate <<

To prevent this, uncomment or completely delete the emailAddress line
in your certificate request.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl.cnf
Type: application/octet-stream
Size: 3136 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150630/9088c1d1/attachment.obj>