On Fri, Apr 16, 2021 at 04:27:23PM +0000, Richard Simard wrote:
> root@PKI:/# /usr/bin/openssl ca
> -selfsign
^^^^^^^^^
> -config /etc/root-ca.conf
> -in /ca/network-ca/csr/network-ca.csr
> -out /ca/network-ca/crt/network-ca.crt
> -extensions intermediate_ca_ext
> -startdate 20210101000000Z
> -enddate 20311231235959Z Using
I doubt you actually mean to use the "-selfsign" option:
ca(1):
-selfsign
Indicates the issued certificates are to be signed with the
key the certificate requests were signed with (given with
-keyfile). Certificate requests signed with a different key
are ignored. If -spkac, -ss_cert or -gencrl are given,
-selfsign is ignored.
A consequence of using -selfsign is that the self-signed
certificate appears among the entries in the certificate
database (see the configuration option database), and uses
the same serial number counter as all other certificates sign
with the self-signed certificate.
If you actually intended to use it, then you're probably confused about
what it means, and should change your mind.
--
Viktor.
