Dear Maintainer, when signing a certificate request, openssl may create a x509v1 certificate with x509v3 extensions. This combination is rejected by some recent versions of mozilla (firefox and thunderbird), see https://bugzilla.mozilla.org/show_bug.cgi?id=1045973 This happens when "copy_extensions = copy" is used in the [ca] section and no "-extensions <section>" commandline option nor x509_extensions key in the config file is given. It is unclear that -extensions (or x509_extensions) must be used in order to create an x509v3 certificate. Including v3 extensions via copy_extensions in the config file should also produce an x509v3 certificate. Thanks Tom