#767528 openssl: copy_extensions = copy does not automatically set certificate version to v3

Package:
openssl
Source:
openssl
Description:
Secure Sockets Layer toolkit - cryptographic utility
Submitter:
Tom
Date:
2014-10-31 18:48:06 UTC
Severity:
normal
#767528#5
Date:
2014-10-31 18:38:26 UTC
From:
To:
Dear Maintainer,

when signing a certificate request, openssl may create a x509v1 certificate with x509v3 extensions.
This combination is rejected by some recent versions of mozilla (firefox and thunderbird), see
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973

This happens when "copy_extensions = copy" is used in the [ca] section and no
"-extensions <section>" commandline option nor x509_extensions key in the config file is given.
It is unclear that -extensions (or x509_extensions) must be used in order to create an x509v3 certificate.

Including v3 extensions via copy_extensions in the config file should also produce an x509v3 certificate.

Thanks
Tom