Bug 524780

Summary: CA script missing option when calling openssl
Product: Red Hat Enterprise Linux 5 Reporter: REN Xiaolei <julyclyde>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: jbrier, ralph
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-05 15:22:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description REN Xiaolei 2009-09-22 07:15:50 UTC
Description of problem:
The CA script in 0.9.8e is missing the -extensions v3_ca flag, caused it to generate an End Entity certification instead of a root CA certification.

Version-Release number of selected component (if applicable):
openssl-0.9.8e-7.el5

How reproducible:



Steps to Reproduce:
1./etc/pki/tls/misc/CA -newca
2.openssl x509 -in /etc/pki/CA/cacert.pem -text -noout
3.
  
Actual results:
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
 

Expected results:
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
 

Additional info:
the original openssl has this bug, too. Refer to http://rt.openssl.org/Ticket/Display.html
CA.pl works correctly, you should use CA.pl instead of CA.sh

Comment 1 Tomas Mraz 2009-09-22 16:37:36 UTC
Here is the upstream patch request:
http://rt.openssl.org/Ticket/Display.html?id=1847

Comment 2 John Brier 2011-01-11 02:39:55 UTC
In case anyone else winds up here, the CA.pl referenced in the original post is included in the 'openssl-perl' package which appears to be in the RHEL 5 Server channel (aka the Base channel)

I have tested it and it does work.

Comment 3 Tomas Mraz 2012-03-05 15:22:32 UTC
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5. Please use the CA.pl script as a workaround.