The opensslx509 and ca commands may create v3 certificates even if no extensions are present.
The code in apps/x509.c and apps/ca.c that sets the version of a certificate
is not quite correct. It is basically set when the code thinks that some extensions are going to be added and not after it; I think the version should be set just before signing a certificate and this should be done almost automatically. To do this inside the library function X509_sign may be a little be to far down although absolutely correct. A slightly weaker alternative is to add a value -1 to X509_set_version which can be called just before X509_sign, and which which set the correct version depending on the content. Doing it in this way, the set_version could also correctly set a v2 in case someone managed to put a subjectUID/issuerUID Note that in ca.c the code that is ifed'ed by X509_V3 is not active, the version is set later, and not even using X509_set_version. in the library there is also a routine X509_REQ_to_X509 which doesn't seem to be used anywhere and which produces a v3 certifictae although no extensions are created. I think this routine could be removed from the library. Since there are at least two options to code, I'd like to hear some comments before I send in one of the possible patches, which are pretty small either. in the demos/signcert, a version "3" is set, should be 2.
smime.p7s
Description: S/MIME Cryptographic Signature