2015-06-24 1:35 GMT+02:00 Jakob Bohm <jb-open...@wisemo.com>: > On 19/06/2015 16:24, Ben Humpert wrote: >> >> When the CSR contains an email address and the email_in_dn setting in >> the config file is set to "no" the email address is actually present >> in the issuer DN but not in the subject DN. This causes errors when >> verifying certificate chains since the subject hash is used to >> identify a cert but the issuer hash is different. > > Are you sure, I have not seen this behavior in current > versions when making self-signed certificates, could > you provide step by step reproduction procedures to > cause this misbehavior?
I have the openssl.cnf attached. ##### Step-By-Step below ##### cd /etc/ssl/ mv /etc/ssl/ca /etc/ssl/ca_orig mkdir -p /etc/ssl/ca/db /etc/ssl/ca/private /etc/ssl/ca/certs /etc/ssl/ca/crl /etc/ssl/ca/out /etc/ssl/ca/reqs chmod 700 /etc/ssl/ca/private cp /dev/null /etc/ssl/ca/db/RootCA.db cp /dev/null /etc/ssl/ca/db/RootCA.db.attr openssl rand -hex 16 > /etc/ssl/ca/db/RootCA.crt.srl echo 1001 > /etc/ssl/ca/db/RootCA.crl.srl cd /etc/ssl/ca/ openssl req -new -out /etc/ssl/ca/RootCA.csr openssl ca -selfsign -in /etc/ssl/ca/RootCA.csr -out /etc/ssl/ca/RootCA.crt -notext -startdate 150101000000Z -enddate 191231235959Z ln -s /etc/ssl/ca/RootCA.crt /etc/ssl/certs/`openssl x509 -hash -noout -in RootCA.crt`.0 openssl verify /etc/ssl/ca/RootCA.crt ln -s /etc/ssl/ca/RootCA.crt /etc/ssl/certs/`openssl x509 -issuer_hash -noout -in RootCA.crt`.0 openssl verify /etc/ssl/ca/RootCA.crt ##### Step-By-Step above ##### ##### Cleanup below ##### cd /etc/ssl/ rm -rf /etc/ssl/certs/`openssl x509 -hash -noout -in RootCA.crt`.0 rm -rf /etc/ssl/certs/`openssl x509 -issuer_hash -noout -in RootCA.crt`.0 rm -rf /etc/ssl/ca mv /etc/ssl/ca_orig /etc/ssl/ca ##### Cleanup above ##### You cannot verify this certificate. OpenSSL always returns >> error 20 at 0 depth lookup:unable to get local issuer certificate << To prevent this, uncomment or completely delete the emailAddress line in your certificate request.
openssl.cnf
Description: Binary data
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users