Signing a CSR gives strange result

[warren-gallagher]

Using EasyRSA-3.1.7 on MacOS 17.5 and OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023).

I have an unsigned root CA. I have created a subca and submitted the resultant CSR to the root CA for signing. It does sign the request, but when it generates, the issued certificate is not just a PEM. It has a text decoding of the certificate in the file followed by the PEM. I would have expected it to only by the PEM portion. Am I doing something wrong?

It looks similar to below

cat CertificateAuthorities/affinitiquest.io/issued/gallaghers.ca.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:34:16:e0:1a:5b:d5:45:fc:8f:9c:bb:b1:72:a4:45
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=CA, O=AffinitiQuest, CN=affinitiquest.io
        Validity
            Not Before: Jul 23 19:27:27 2024 GMT
            Not After : Oct 26 19:27:27 2026 GMT
        Subject: C=CA, O=Gallagher Consulting, CN=gallaghers.ca
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:79:21:7e:94:6d:2a:49:e4:28:d6:2f:43:28:6c:
                    4d:a9:ea:30:0c:0d:c5:ce:f8:2d:a4:96:35:d2:6a:
                    82:77:3d:c2:7f:1a:0e:c8:3c:8a:25:ed:7e:41:21:
                    7b:9c:31:b1:58:ac:98:c1:6f:60:b0:38:a0:d5:b0:
                    13:89:fc:d0:55
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                FC:80:69:FD:13:B5:06:2B:EC:28:B7:99:F4:DF:F0:BD:82:38:6E:D3
            X509v3 Authority Key Identifier: 
                keyid:40:51:3B:B1:84:95:10:F3:A9:81:07:A7:67:D2:1B:92:F5:C0:06:AB
                DirName:/C=CA/O=AffinitiQuest/CN=affinitiquest.io
                serial:9D:38:9C:AB:98:A8:B6:FB

            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:9c:ae:20:97:57:ac:3c:7e:75:5b:7e:43:5f:
         3e:bf:01:8a:9c:a5:b9:86:7a:d2:53:f5:c5:9b:29:4a:8a:bc:
         54:02:21:00:c9:73:cb:63:91:66:f1:7f:b8:a5:dc:41:f8:79:
         8d:12:c3:ef:23:6c:29:25:fd:70:15:b3:49:61:7f:64:69:f4
-----BEGIN CERTIFICATE-----
MIICMzCCAdigAwIBAgIQNDQW4Bpb1UX8j5y7sXKkRTAKBggqhkjOPQQDAjBAMQsw
CQYDVQQGEwJDQTEWMBQGA1UECgwNQWZmaW5pdGlRdWVzdDEZMBcGA1UEAwwQYWZm
aW5pdGlxdWVzdC5pbzAeFw0yNDA3MjMxOTI3MjdaFw0yNjEwMjYxOTI3MjdaMEQx
CzAJBgNVBAYTAkNBMR0wGwYDVQQKDBRHYWxsYWdoZXIgQ29uc3VsdGluZzEWMBQG
A1UEAwwNZ2FsbGFnaGVycy5jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHkh
fpRtKknkKNYvQyhsTanqMAwNxc74LaSWNdJqgnc9wn8aDsg8iiXtfkEhe5wxsVis
mMFvYLA4oNWwE4n80FWjga8wgawwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU/IBp
/RO1BivsKLeZ9N/wvYI4btMwcAYDVR0jBGkwZ4AUQFE7sYSVEPOpgQenZ9IbkvXA
BquhRKRCMEAxCzAJBgNVBAYTAkNBMRYwFAYDVQQKDA1BZmZpbml0aVF1ZXN0MRkw
FwYDVQQDDBBhZmZpbml0aXF1ZXN0LmlvggkAnTicq5iotvswCwYDVR0PBAQDAgEG
MAoGCCqGSM49BAMCA0kAMEYCIQCcriCXV6w8fnVbfkNfPr8BipyluYZ60lP1xZsp
Soq8VAIhAMlzy2ORZvF/uKXcQfh5jRLD7yNsKSX9cBWzSWF/ZGn0
-----END CERTIFICATE-----

[TinCanTech]

The text decoding of the certificate meta-data is normal.

The meta-data is public and is encoded in the certificate. It can be accessed by any party that has access to the certificate.

If preferred, you can manually delete the meta-data.

[warren-gallagher]

Thanks.

[TinCanTech]

I checked help and found option --notext, which should also omit the meta-data.