http://bugzilla.opensuse.org/show_bug.cgi?id=1194187 http://bugzilla.opensuse.org/show_bug.cgi?id=1194187#c9 --- Comment #9 from Mark Post <mpost@suse.com> --- Thanks again. In playing around, it seems there is some sort of issue with the addition of these two lines: openssl_conf = openssl_init [openssl_init] When I added those, I was following the documentation at https://www.openssl.org/docs/man1.1.1/man5/config.html If I remove them or comment them out, the CSR file gets created, but the engines definitions don't get created, even though the include files are read. It's as though these two lines are being totally ignored without the section header: oid_section = new_oids engines = engine_section Which seems odd, since the documentation says: The first section of a configuration file is special and is referred to as the default section. This section is usually unnamed and spans from the start of file until the first named section. Without those two lines, the old_section and engines lines should be considered as being in the default section. This is starting to look more like an openssl bug to me, rather than the changes I made being somehow wrong. Just what that means for Marcus adding the [SAN] section for his needs is really not clear. It seems as though his particular command only requires the "[ req_distinguished_name ]" section from openssl.cnf. But, none of those values are customized by us, so it's all very generic. I don't know enough about openssl to be sure, but this kind of looks like this is relevant: https://github.com/openssl/openssl/issues/4598#issuecomment-341321065 Pedro, if you could take a look at this, I would appreciate it. -- You are receiving this mail because: You are on the CC list for the bug.