On Mon, Apr 08, 2024 at 05:53:47PM -0500, Ted Wynnychenko wrote: > Thanks for the suggestion. > The workaround does work, and creates (essentially) the same certificate, > but one that does not fail verification with the new libressl. > I did notice the option of not have the leading "20" for dates before 2050, > but I did not know enough to try doing that.
Great. openssl ca should be smart enough to do that for you. It tried to, but failed due to a bug. This will be fixed in the next release: https://github.com/openbsd/src/commit/72c7c57a68e32c57ac752161b5a93464ad11e7e1 The incomprehensible verification error is another bug and that will also be fixed.
