Your suspicion in that old thread was right. Adding this fixed it:
--- //projects/shared/openssl-6.101.5.1/akamai/openssl/apps/x509.c
2013-03-01 23:14:34.000000000 0000
+++ /home/rsalz/p4/misc/openssl/apps/x509.c 2013-03-01 23:14:34.000000000
0000
@@ -1217,6 +1217,7 @@
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
}
+ x->cert_info->enc.modified = 1;
if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
goto end;
ret=1;
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: Wednesday, May 01, 2013 4:48 PM
To: openssl-users@openssl.org; r...@openssl.org
Subject: RE: Bug(?) in x509 app
>From: owner-openssl-us...@openssl.org On Behalf Of Salz, Rich
>Sent: Wednesday, 01 May, 2013 15:11
>To: openssl-users@openssl.org; r...@openssl.org
>I have a self-signed certificate (new.crt) that I want to sign with the
>x509 app and the keypair that is in ca.pem.
<snip>
>With the latest, it looks like the only thing output is the new
>signature L
<snip>
>Not only is the issuer wrong, but the cert extensions aren't removed.
See thread "change in x509 -CA in 1.0.1?" 4/09-4/11.
>Any thoughts? I stepped through the x590_main, and it looked
>reasonable, until I got lost in the PEM/ASN1 macros.
me2. (Actually x509_certify in x509.c, but close enough.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
