On 30/06/2015 18:32, Ben Humpert wrote: > 2015-06-24 1:35 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>: >> On 19/06/2015 16:24, Ben Humpert wrote: >>> When the CSR contains an email address and the email_in_dn setting in >>> the config file is set to "no" the email address is actually present >>> in the issuer DN but not in the subject DN. This causes errors when >>> verifying certificate chains since the subject hash is used to >>> identify a cert but the issuer hash is different. >> Are you sure, I have not seen this behavior in current >> versions when making self-signed certificates, could >> you provide step by step reproduction procedures to >> cause this misbehavior? > ... > > openssl req -new -out /etc/ssl/ca/RootCA.csr > openssl ca -selfsign -in /etc/ssl/ca/RootCA.csr -out > /etc/ssl/ca/RootCA.crt -notext -startdate 150101000000Z -enddate > 191231235959Z Ah, I didn't even know about that "ca -selfsign" option, I generally create my root certs using the req or x509 command directly. I wonder if the ca -selfsign variant takes its email_in_DN option from a different section than regular cert signing. Besides, putting an e-mail attribute in a CSR for a CA seems unusual. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150630/75cff451/attachment.html>
