Bug 1014534

Here is the evidence of the problem under Fedora 19/OpenSSL V1.0.1e
[philippe@victor Miroslav]$ sudo openssl ca -selfsign -cert serverCert.pem -keyfile serverKey.pem -keyform PEM -out serverCaCert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for serverKey.pem:
[philippe@victor Miroslav]$ ls serverCaCert.pem                                 ls: cannot access serverCaCert.pem: No such file or directory

I can't see how this could ever work. And in your instructions on the dyndns page I am really confused why are you doing this.
The selfsigned certificate to be signed by CA should be specified by -ss_cert and not -cert. The -cert specifies the certificate of the CA.

The truth with the

# openssl ca -selfsign -cert /etc/ipsec.d/certs/serverCert.pem \
-keyfile /etc/ipsec.d/private/serverKey.pem -keyform PEM \
-out /etc/ipsec.d/cacerts/serverCert.pem

command I document under Fedora 17 is that I have been able to produce the PKCS12 file (aka .p12) using the command:

# openssl pkcs12 -export -certfile /etc/ipsec.d/cacerts/caCert.pem \
-inkey /etc/ipsec.d/private/serverKey.pem \
-in /etc/ipsec.d/cacerts/serverCert.pem -out server.p12
Enter pass phrase for etc/ipsec.d/private/serverKey.pem:
Enter Export Password:
Verifying - Enter Export Password:

So exactly using the first command output file (aka /etc/ipsec.d/cacerts/serverCert.pem) and I still can use this resultant .p12 file for my Shrew/Libreswan tests with Mutual RSA authentication. This should last until the
expiration date of the CA certificate.

This Fedora 17 command no longer producing any output file under openssl 1.0.1e unlike it did under openssl 1.0.1j, the command I have to now document is

# openssl ca -selfsign -in serverReq.pem -keyfile mycs.prv -out serverCACert.pem

which produces such a file content:

[philippe@victor Miroslav]$ cat serverCACert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e3:12:b2:93:0f:0d:5b:48
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=fr, ST=France, O=Vouters Illimited, CN=vouters.dyndns.org/emailAddress=Philippe.Vouters
        Validity
            Not Before: Oct  3 11:56:47 2013 GMT
            Not After : Oct  3 11:56:47 2014 GMT
        Subject: C=fr, ST=France, O=Vouters Illimited, CN=vouters.dyndns.org/emailAddress=Philippe.Vouters
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d5:94:74:28:0b:05:2e:37:b1:65:cf:1f:27:2d:
                    46:8b:99:10:a4:1c:e1:6a:d6:a7:84:b3:6a:c6:88:
                    85:e9:0a:7a:69:cd:05:95:3c:ac:1a:c9:5c:1e:0b:
                    55:f7:32:b9:a0:43:9b:48:1b:a7:2b:9e:5d:ee:6d:
                    a1:b5:f5:36:bd:93:b6:ad:6b:c4:ef:1a:02:20:21:
                    5f:c6:0e:d8:18:5f:02:58:56:51:d0:71:7f:b1:da:
                    53:13:62:94:99:ad:7b:ed:b9:39:05:83:d6:54:3e:
                    7e:95:a7:94:af:28:36:62:ae:43:87:3a:a6:12:3c:
                    1a:43:b8:4d:1c:54:04:c4:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B9:CC:E4:26:16:EB:64:BE:DF:69:7E:40:2F:D4:02:5A:6B:F3:9E:4D
            X509v3 Authority Key Identifier: 
                keyid:B9:CC:E4:26:16:EB:64:BE:DF:69:7E:40:2F:D4:02:5A:6B:F3:9E:4D

    Signature Algorithm: sha1WithRSAEncryption
         62:17:37:4d:0e:86:5b:13:dc:54:ce:81:c0:d8:5c:36:dc:0f:
         27:9a:65:76:4c:8a:34:6c:d1:b5:35:e0:7d:af:25:ea:66:6f:
         32:40:da:a2:98:62:37:db:4c:fe:f1:3c:4f:b9:7b:a8:16:6a:
         c0:e7:fc:cf:f8:e2:40:60:44:21:7e:ba:ed:3f:7f:72:6f:af:
         8b:ee:42:50:09:d9:b8:dc:2c:d6:82:ef:7c:d6:0e:3e:cf:7d:
         cd:2d:c6:0e:0d:f3:79:bb:45:38:b1:12:20:fd:a2:b0:36:f4:
         2c:d0:85:90:3a:01:06:a5:cd:b8:b6:48:76:bd:4d:41:21:92:
         6e:75
-----BEGIN CERTIFICATE-----
MIIDAzCCAmygAwIBAgIJAOMSspMPDVtIMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJmcjEPMA0GA1UECAwGRnJhbmNlMRowGAYDVQQKDBFWb3V0ZXJzIElsbGlt
aXRlZDEbMBkGA1UEAwwSdm91dGVycy5keW5kbnMub3JnMSswKQYJKoZIhvcNAQkB
FhxQaGlsaXBwZS5Wb3V0ZXJzQGxhcG9zdGUubmV0MB4XDTEzMTAwMzExNTY0N1oX
DTE0MTAwMzExNTY0N1owgYQxCzAJBgNVBAYTAmZyMQ8wDQYDVQQIDAZGcmFuY2Ux
GjAYBgNVBAoMEVZvdXRlcnMgSWxsaW1pdGVkMRswGQYDVQQDDBJ2b3V0ZXJzLmR5
bmRucy5vcmcxKzApBgkqhkiG9w0BCQEWHFBoaWxpcHBlLlZvdXRlcnNAbGFwb3N0
ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWUdCgLBS43sWXPHyct
RouZEKQc4WrWp4SzasaIhekKemnNBZU8rBrJXB4LVfcyuaBDm0gbpyueXe5tobX1
Nr2Ttq1rxO8aAiAhX8YO2BhfAlhWUdBxf7HaUxNilJmte+25OQWD1lQ+fpWnlK8o
NmKuQ4c6phI8GkO4TRxUBMTLAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS5
zOQmFutkvt9pfkAv1AJaa/OeTTAfBgNVHSMEGDAWgBS5zOQmFutkvt9pfkAv1AJa
a/OeTTANBgkqhkiG9w0BAQUFAAOBgQBiFzdNDoZbE9xUzoHA2Fw23A8nmmV2TIo0
bNG1NeB9ryXqZm8yQNqimGI320z+8TxPuXuoFmrA5/zP+OJAYEQhfrrtP39yb6+L
7kJQCdm43CzWgu981g4+z33NLcYODfN5u0U4sRIg/aKwNvQs0IWQOgEGpc24tkh2
vU1BIZJudQ==
-----END CERTIFICATE-----

which also looks like a perfect signed certiificate. Such signed certificates
looks quite ideal as inputs for generating PKCS12 formatted files.

Yours truly,
Philippe Vouters (Fontainebleau/France)

Philippe, would you mind double checking your openssl versions?

It should be 1.0.0k on F17 (not 1.0.1k).

F17 should not have a higher version than F18 (than F19...).

Differences between 1.0.0 and 1.0.1 are unfortunate but unavoidable. If the version ordering is OK I would suggest closing this bug as invalid (OP mixed up version numbers).

Last OpenSSL RPM for Fedora 17

http://rpm.pbone.net/index.php3/stat/4/idpl/20317808/dir/fedora_17/com/openssl-1.0.0k-1.fc17.i686.rpm.html

Last OpenSSL RPM for Fedora 19
http://rpm.pbone.net/index.php3/stat/4/idpl/20602625/dir/fedora_19/com/openssl-1.0.1e-4.fc19.i686.rpm.html

The OpenSSL RPMs installed on my computer now running Fedora 19 (keeps yum updated):

[philippe@victor ~]$ rpm -qa | grep openssl
xmlsec1-openssl-1.2.18-4.fc19.i686
openssl-libs-1.0.1e-28.fc19.i686
xmlsec1-openssl-devel-1.2.18-4.fc19.i686
openssl-1.0.1e-28.fc19.i686
openssl-devel-1.0.1e-28.fc19.i686
[philippe@victor ~]$ 

Yours truly,
Philippe

I messed up myself with the last OpenSSL digit on Fedora 17. At http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven-Part_2.html I do document OpenSSL Version 1.0.0j for Fedora 17. Deeply sorry about this.

However why this command I document for OpenSSL Version 1.0.0j:
# openssl ca -selfsign -cert /etc/ipsec.d/certs/serverCert.pem \
-keyfile /etc/ipsec.d/private/serverKey.pem -keyform PEM \
-out /etc/ipsec.d/cacerts/serverCert.pem
has become invalid under OpenSSL Version 1.0.1e (i.e.: /etc/ipsec.d/cacerts/serverCert.pem has become empty) ?

Why this has to now read:
# openssl ca -selfsign -in mycsReq.pem -keyfile mycs.prv -out mycsCACert.pem
????

Yours ruly,
Philippe

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.