[openssl-users] Bug 1.0.1f - selfsign ignores email_in_dn setting

Jakob Bohm jb-openssl at wisemo.com
Tue Jun 30 16:53:11 UTC 2015

On 30/06/2015 18:32, Ben Humpert wrote:
> 2015-06-24 1:35 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
>> On 19/06/2015 16:24, Ben Humpert wrote:
>>> When the CSR contains an email address and the email_in_dn setting in
>>> the config file is set to "no" the email address is actually present
>>> in the issuer DN but not in the subject DN. This causes errors when
>>> verifying certificate chains since the subject hash is used to
>>> identify a cert but the issuer hash is different.
>> Are you sure, I have not seen this behavior in current
>> versions when making self-signed certificates, could
>> you provide step by step reproduction procedures to
>> cause this misbehavior?
> ...
> openssl req -new -out /etc/ssl/ca/RootCA.csr
> openssl ca -selfsign -in /etc/ssl/ca/RootCA.csr -out
> /etc/ssl/ca/RootCA.crt -notext -startdate 150101000000Z -enddate
> 191231235959Z
Ah, I didn't even know about that "ca -selfsign" option,
I generally create my root certs using the req or x509
command directly.

I wonder if the ca -selfsign variant takes its
email_in_DN option from a different section than regular
cert signing.

Besides, putting an e-mail attribute in a CSR for a CA
seems unusual.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150630/75cff451/attachment.html>

More information about the openssl-users mailing list