CRL issuer does not match CA subject

Aram Akhavan aram.akhavan at
Fri Mar 29 20:23:31 UTC 2019


I'm creating a small PKI following the guide here:

The intermediate CA cert is created with:
/openssl ca -config $ROOT_CONF -extensions v3_intermediate_ca //-days 
3650 -notext -md sha256/

If I then dump the cert, I see that subject line is
/Subject: C = us, ST = ca, O = test, CN = intermediate CA/

I then create the CRL using:
/openssl ca -config $INTRMDT_CONF //-gencrl -out $INTRMDT_CRL/

When I dump the CRL, though, the issuer is
/Issuer: /C=us/ST=ca/O=test/CN=intermediate ca/

When I put my certificate through, it complains that the CRL 
issuer and intermediate CA subject don't match byte for byte.

Is there a way to have both generated with the same formatting? I looked 
through my configuration files and couldn't find anything that would 
explain the difference. I think it works anyways, but it would be nice 
to have them match...

Best regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list