Hi Dave, a few hints which might help here:
In our installation old signatures on the CSRs are broken, too (I see this when I go to the CA interface, Information, Certificate Requests, Archived). In the list there is an error displayed, and if I click on the CSR's serial and then on the icon "Signature Error" I can see more details. In my case it lists a few things, but the main error seems to be that the RA-operator certificate which was used to sign the request has expired. But maybe in your case the error has a different reason, but these messages might be a starting point for debugging. Furthermore, when reading your mail about the different versions of openssl it also came to my mind that openssl has changed the convention how hashes are formed between the version branches 0.9.8 and 1.0.0. An openssl 1.0.x binary can do both hashes openssl x509 help ... -subject_hash - print subject hash value -subject_hash_old - print old-style (MD5) subject hash value ... If there are any hashes involved (e.g. in building the certificate chain) rehashing might help to solve some issues. there is also a binary caled c_rehash to do this task for a whole directory. kind regards Martin On 08/14/2014 12:31 AM, blain...@gdls.com wrote: > The old 1.0.2 system I am migrating from uses openssl 0.9.8g. The new 1.5.1 > system uses openssl 1.0.1i. > > On the old system the signatures are valid. I commented out the unlink > statements to get a better look on both systems. The files created are > slightly different. One has the header first then the certificate whereas the > other has these sections reversed. So I am going to keep looking at how those > files are created. > > Dave > > > ----- Original Message ----- > From: blainedw > Sent: 08/13/2014 05:03 PM AST > To: "Users' Help and Suggestions" <openca-users@lists.sourceforge.net> > Subject: Re: [Openca-Users] OpenCA 1.5.1 signature not valid > > > > Hi Max > > Have you seen this? > > Dave > > > ----- Original Message ----- > From: David Blaine [blain...@gdls.com] > Sent: 07/22/2014 07:53 PM GMT > To: openca-users@lists.sourceforge.net > Subject: Re: [Openca-Users] OpenCA 1.5.1 signature not valid > > > > Is there a fix for this error? Only seems to affect records that came over > from the migration. > > Dave > ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
