I have a self-signed certificate (new.crt) that I want to sign with the x509 app and the keypair that is in ca.pem. I can send those files if desired; if sent as attachments the openssl.org server complains.
In an older openssl, what I expect happens: ; openssl version OpenSSL 0.9.8k 25 Mar 2009 ; openssl x509 -in /tmp/new.crt -CA /tmp/ca.pem -clrext | openssl x509 -issuer Getting CA Private Key issuer= /C=us/O=ibm/OU=SSL PKI -----BEGIN CERTIFICATE----- MIICPzCCASegAwIBAgIJAIJYg8vsmXyRMA0GCSqGSIb3DQEBBQUAMC0xCzAJBgNV BAYTAnVzMQwwCgYDVQQKEwNpYm0xEDAOBgNVBAsTB1NTTCBQS0kwHhcNMTMwNDMw MjAwNDE4WhcNMTMwNTMwMjAwNDE4WjARMQ8wDQYDVQQDEwZ0ZXN0bWUwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAM6IWQi/WinRaw01CFLU6owgzYa9HoX2Hk5t kzuq5at2Umy9uuwa9GAt2mz6qOYuSzF6T16UKrGR5CsPC8M117mgofYHhGvTbx/o 4dnOTnr0zntkyRzNycOzqZ+dNhQwnQgf/jUWS1t43aewlIo7yM4CkgLvOJQIWLo+ yBULUROTAgMBAAGjAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBX1AKm88aGyKNnIOVI 7DlHJBOG/WbVer5uENIVhakAMxrsrYQRmSEaceZI6ngeKysMnV+Uw7xAJstRsY46 0bIbn/JTkqlwxKuPKhlpoPUub8A0Gp7OsxVJIHDxvMYXbOI9VCLUAJvchNE9x1sB zTW4R1RiHfLonM4qK3kSlsXBk/KeXfWxyrO86IhKtPBzIHNR8Yc+kLzIVrdRD97Q eraZYC8sBIPCnWo9BLClc0FGOfmzMmCYceKo6viAa2eh+z6NI+SNVB1j1yJsg2NL qJ+XzDqw7XFwBX7zqfT1qiJkPlSTx/14gm0n01W7lCuhLcuuMBCmGpATa6/Xmoh4 Jg9X -----END CERTIFICATE----- With the latest, it looks like the only thing output is the new signature :( ; ./openssl version OpenSSL 1.0.1e 11 Feb 2013 ; ./openssl x509 -in /tmp/new.crt -CA /tmp/ca.pem -clrext | openssl x509 -issuer Getting CA Private Key issuer= /CN=testme -----BEGIN CERTIFICATE----- MIICkzCCAXugAwIBAgIJAM1h8iG9zMXHMA0GCSqGSIb3DQEBBQUAMBExDzANBgNV BAMTBnRlc3RtZTAeFw0xMzA0MjkyMDUyMjJaFw0xNjAxMjMyMDUyMjJaMBExDzAN BgNVBAMTBnRlc3RtZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzohZCL9a KdFrDTUIUtTqjCDNhr0ehfYeTm2TO6rlq3ZSbL267Br0YC3abPqo5i5LMXpPXpQq sZHkKw8LwzXXuaCh9geEa9NvH+jh2c5OevTOe2TJHM3Jw7Opn502FDCdCB/+NRZL W3jdp7CUijvIzgKSAu84lAhYuj7IFQtRE5MCAwEAAaNyMHAwHQYDVR0OBBYEFJn5 UnX9Uh/qLr2PuiwN8sJ1bCE6MEEGA1UdIwQ6MDiAFJn5UnX9Uh/qLr2PuiwN8sJ1 bCE6oRWkEzARMQ8wDQYDVQQDEwZ0ZXN0bWWCCQDNYfIhvczFxzAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBd/kGRzuM1dBjMRAz2hDQT2rNs+dMorm1b cnhYpm04tPUQmy+0uIXToN8Hix8IBflOKRz/sE2XaF/d2Edk5o/9n2XAQLrdvU75 C+uIhLBMt1PzpIc93z8esxhrjpEjwd9Xztm35U7SJ4A5UhE6m1a6RAM3vmDwn4w+ ssZ1xRAkG3ZYJ2Xc1pwty6df8vV3hYmBONoyuLOzJRKJC35UKHNqAwgZ0AjgGol6 hukZ0p0JQxh2DhfQMD65SqXYPkrDgGS2InC802LEJqslZkDAzwDUvrzqbZYhYFMF ucAE3513wCzs4n7o3JchzZ8O7nkivcBvUXJzUBk3rmPS4LQrx5gG -----END CERTIFICATE----- Not only is the issuer wrong, but the cert extensions aren't removed. Any thoughts? I stepped through the x590_main, and it looked reasonable, until I got lost in the PEM/ASN1 macros. -- Principal Security Engineer Akamai Technology Cambridge, MA