>From: owner-openssl-us...@openssl.org On Behalf Of Salz, Rich >Sent: Tuesday, 09 April, 2013 12:55
-dev added, I think this is a bug >This pair of commands used to work as expected, but in 1.0.0 and >later the resulting cert is self-signed, and not signed by the CA key. ITYM 1.0.1 as per subject. >openssl req -x509 -days 999 -keyout req.key -out req.pem \ > -subj /CN=testme -nodes -new -newkey rsa:2048 req -new -x509 should and does produce a selfsigned cert. (Do you really want both self-signed AND CA-signed? If not you could just do req -new and x509 -req.) >openssl x509 -in req.pem -CA cacert.pem \ > -CAkey cakey.pem -set_serial 1234 -out cert.pem Here I get correct result in 1.0.0 but wrong in 1.0.1. The signature is in fact under the CA key per rsautl, but the Issuer field does not identify the CA as it should, it still equals Subject falsely indicating selfsigned. This occurs even though x509_certify in apps/x509.c did change x->cert_info->issuer. I suspect this may be asn1 using a cached encoding when it shouldn't, but the code is convoluted enough I can't figure out where to debug. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
