There is a bug in /etc/ssl/openssl.cnf that prevents openssl from generating a valid CA. It generates a CA, but the CA is not able to sign certificates, so that they are valid. The problem is explained in the URL.
Created attachment 105559 [details, diff] Patch that fixes the bug This patch fixes the bug in openssl.cnf
Kindly review http://bugs.gentoo.org/page.cgi?id=fields.html#bug_severity
Okay, I have done that, shouldn't it be Major? Major : major loss of function. I would call not being able to run a CA with openssl a major loss of function ;-) Anyway, the patch is straght forward, and works fine :-)
Hmm, this makes it create every cert as a CA :( Any ideas on how to get the CA generated as a CA, but the rest generated as normal certificates?
i wouldnt really call it straight forward unless you're completely familiar with openssl/x509 ... i know i'm not looking at the file, the default setup is for user based installs ... if you need to do something above and beyond that, modify the configuration file to suite your requirements (like any other config file in /etc) if you disagree, please contact the openssl users list: http://www.openssl.org/support/
I agree, but then the CA.pl / CA.sh scripts should be fixed, since they have a -newca option, that is broken :-)
*** Bug 167727 has been marked as a duplicate of this bug. ***
Just for the record, CA.pl works but CA.sh doesn't work... Can't we just remove CA.sh from the ebuild?
none of the files are handled specially by the ebuild ... we install everything like the upstream openssl package intends if a script is broken, then the openssl guys should know about it