I spent a lot of time at work tracking down an issue where certificates were being generated with the wrong public key, not the one given in the CSR. After some intense debugging, replacing the OpenSSL binary with a script that logs stuff, etc - I determined that it was using the -signkey option, which (as you know) is for self-signed certificates, and OpenSSL was silently replacing the CSR key with the key I was using as the CA key when generating the certificate.
I searched the library's code for -signkey, and soon discovered that it used that option when the serviceCertificate option was missing from the call to createCertificate. Earlier I had been looking for the option to specify the CA certificate, but couldn't find it. Despite the importance of this option, it's missing from the documentation, save for a brief mention in the description for the -serial option.
Dexus
commented
2 years ago
I spent a lot of time at work tracking down an issue where certificates were being generated with the wrong public key, not the one given in the CSR. After some intense debugging, replacing the OpenSSL binary with a script that logs stuff, etc - I determined that it was using the
-signkeyoption, which (as you know) is for self-signed certificates, and OpenSSL was silently replacing the CSR key with the key I was using as the CA key when generating the certificate.I searched the library's code for
-signkey, and soon discovered that it used that option when theserviceCertificateoption was missing from the call tocreateCertificate. Earlier I had been looking for the option to specify the CA certificate, but couldn't find it. Despite the importance of this option, it's missing from the documentation, save for a brief mention in the description for the-serialoption.https://www.deineagentur.com/projects/pem/module-pem.html#.createCertificate