OpenSSL self-test report:
OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl no-threads shared OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.3 20010315 (release) Hi all, I always get "bad serial number length" when I want to sign the second request with my self-signed CA. I just followed the steps on http://www.dfn-pca.de/certify/ssl/handbuch/ossl095/ossl095.html (sorry, it's all german). These steps were: - edited openssl.cnf: x509_extensions = v3_ca [...] [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation subjectAltName=email:copy # Copy issuer details issuerAltName=issuer:copy - created the CA's key: openssl genrsa -des3 ca.key 2048 - created the self signed CA: openssl req -new -x509 -days 3650 -key ca.key -out ca.pem - edited openssl.cnf: x509_extensions = usr_cert - created two keys and two certificate requests: openssl req -new -days 3650 -key foo.key -out foo.req I then signed the 1st request: openssl ca -keyfile ca.key -cert ca.pem -in foo.req -out foo.pem Everything's fine up to this point. Then I tried to sign the 2nd request, but I always get "bad serial number length". It's reproducable, even when I try different serials (tried 00 up to 03), so I think it's a bug. At least I can sign my certs with 'openssl x509 -req', but when trying to generate a CRL I get the same error. Any ideas? Oh, the version is 0.9.6g (compiled tarball). Olaf ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
