On 30/06/2015 18:32, Ben Humpert wrote:
2015-06-24 1:35 GMT+02:00 Jakob Bohm <jb-open...@wisemo.com>:
On 19/06/2015 16:24, Ben Humpert wrote:
When the CSR contains an email address and the email_in_dn setting in
the config file is set to "no" the email address is actually present
in the issuer DN but not in the subject DN. This causes errors when
verifying certificate chains since the subject hash is used to
identify a cert but the issuer hash is different.
Are you sure, I have not seen this behavior in current
versions when making self-signed certificates, could
you provide step by step reproduction procedures to
cause this misbehavior?
...
openssl req -new -out /etc/ssl/ca/RootCA.csr
openssl ca -selfsign -in /etc/ssl/ca/RootCA.csr -out
/etc/ssl/ca/RootCA.crt -notext -startdate 150101000000Z -enddate
191231235959Z
Ah, I didn't even know about that "ca -selfsign" option,
I generally create my root certs using the req or x509
command directly.
I wonder if the ca -selfsign variant takes its
email_in_DN option from a different section than regular
cert signing.
Besides, putting an e-mail attribute in a CSR for a CA
seems unusual.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
