Help request

Viktor Dukhovni openssl-users at
Fri Apr 16 16:36:50 UTC 2021

On Fri, Apr 16, 2021 at 04:27:23PM +0000, Richard Simard wrote:

> root at PKI:/# /usr/bin/openssl ca
>   -selfsign
>   -config /etc/root-ca.conf
>   -in /ca/network-ca/csr/network-ca.csr
>   -out /ca/network-ca/crt/network-ca.crt
>   -extensions intermediate_ca_ext
>   -startdate 20210101000000Z
>   -enddate 20311231235959Z Using

I doubt you actually mean to use the "-selfsign" option:


           Indicates the issued certificates are to be signed with the
           key the certificate requests were signed with (given with
           -keyfile).  Certificate requests signed with a different key
           are ignored.  If -spkac, -ss_cert or -gencrl are given,
           -selfsign is ignored.

           A consequence of using -selfsign is that the self-signed
           certificate appears among the entries in the certificate
           database (see the configuration option database), and uses
           the same serial number counter as all other certificates sign
           with the self-signed certificate.

If you actually intended to use it, then you're probably confused about
what it means, and should change your mind.


More information about the openssl-users mailing list