Description of problem: The CA script in 0.9.8e is missing the -extensions v3_ca flag, caused it to generate an End Entity certification instead of a root CA certification. Version-Release number of selected component (if applicable): openssl-0.9.8e-7.el5 How reproducible: Steps to Reproduce: 1./etc/pki/tls/misc/CA -newca 2.openssl x509 -in /etc/pki/CA/cacert.pem -text -noout 3. Actual results: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Expected results: X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Additional info: the original openssl has this bug, too. Refer to http://rt.openssl.org/Ticket/Display.html CA.pl works correctly, you should use CA.pl instead of CA.sh
Here is the upstream patch request: http://rt.openssl.org/Ticket/Display.html?id=1847
In case anyone else winds up here, the CA.pl referenced in the original post is included in the 'openssl-perl' package which appears to be in the RHEL 5 Server channel (aka the Base channel) I have tested it and it does work.
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5. Please use the CA.pl script as a workaround.