> At the bottom of the man page for x509 it states the following:
The hash algorithm used in the -subject_hash and -issuer_hash options
before OpenSSL 1.0.0 was based on the deprecated MD5
algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and
later it is based on a canonical version of the DN
using SHA1.
The text isn't great. In both cases the printed form is not what is used.
Instead, by "canonical form" is meant the X.509 ASN1/DER encoding.
Your guess -- "I think I'm using a different string" -- is correct.
