Bug 524780 - CA script missing option when calling openssl
Summary: CA script missing option when calling openssl
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-22 07:15 UTC by REN Xiaolei
Modified: 2012-03-05 15:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-05 15:22:32 UTC


Attachments (Terms of Use)

Description REN Xiaolei 2009-09-22 07:15:50 UTC
Description of problem:
The CA script in 0.9.8e is missing the -extensions v3_ca flag, caused it to generate an End Entity certification instead of a root CA certification.

Version-Release number of selected component (if applicable):
openssl-0.9.8e-7.el5

How reproducible:



Steps to Reproduce:
1./etc/pki/tls/misc/CA -newca
2.openssl x509 -in /etc/pki/CA/cacert.pem -text -noout
3.
  
Actual results:
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
 

Expected results:
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
 

Additional info:
the original openssl has this bug, too. Refer to http://rt.openssl.org/Ticket/Display.html
CA.pl works correctly, you should use CA.pl instead of CA.sh

Comment 1 Tomas Mraz 2009-09-22 16:37:36 UTC
Here is the upstream patch request:
http://rt.openssl.org/Ticket/Display.html?id=1847

Comment 2 John Brier 2011-01-11 02:39:55 UTC
In case anyone else winds up here, the CA.pl referenced in the original post is included in the 'openssl-perl' package which appears to be in the RHEL 5 Server channel (aka the Base channel)

I have tested it and it does work.

Comment 3 Tomas Mraz 2012-03-05 15:22:32 UTC
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5. Please use the CA.pl script as a workaround.


Note You need to log in before you can comment on or make changes to this bug.