Hi,
if I use the command:
$ /usr/local/bin/openssl req -x509 -new -days 30 -key ./cacert.key -out
./cacert.pem -outform PEM
to create a self-signed root-certificate the 'man req' page says:
-x509 this option outputs a self signed certificate instead of a
certificate request. This is typically used to generate a
test certificate or a self signed root CA. The extensions
added to the certificate (if any) are specified in the
configuration file. Unless specified using the
set_serial option 0 will be used for the serial
number.
So I expected a serial-number of 0, but get a:
$ /usr/local/bin/openssl x509 -serial -noout -in cacert.pem
serial=806E141592B2EFF9
If I use the '-set_serial' I will get the expected serial number of course.
The automatically used /usr/local/ssl/openssl.cnf does only these serial
related lines:
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same
# subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
Even if I create an explicit serial-file it won't be used for the 'req'
command (tested with strace).
Any ideas what I'm doing wrong? Or is the man-page wrong?
Ciao, Georg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
