Issuer DN of new internal certificates does not match the signing CA Subject DN

[hjl3]

Having trouble generating new certificates with an existing CA in FreeNAS. The CA was created~6 months ago, and certificates issued from that CA within FreeNAS back then are/were fine.

Code:

$ openssl verify -CAfile ./ca.crt working.crt
unifi.crt: OK

But now I'm having problems with new certificates generated the same way failing to verify.

Code:

$ openssl verify -CAfile ./ca.crt new.crt
CN = [MASK], C = [MASK], ST = [MASK], L = [MASK], O = [MASK], OU = [MASK], emailAddress = [MASK]
error 20 at 0 depth lookup: unable to get local issuer certificate
error ca.crt: verification failed

Looking at the certificates, it appears the Issuer DN assigned to the new certificates isn't matching the Subject DN of the generating CA. Like it's reordering the values within the DN.

Code:

## CA Subject DN
# openssl x509 -noout -in ca.crt -subject
subject= /C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/CN=ca.[MASK]/emailAddress=[MASK]

## Old (working certificates Issuer DN
# openssl x509 -noout -in ../working.crt -issuer
issuer= /C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/CN=ca.[MASK]/emailAddress=[MASK]

## New certificates Issuer DN (not matching the CA Subject)
# openssl x509 -noout -in ../new.crt -issuer
issuer= /CN=ca.[MASK]/C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/emailAddress=[MASK]

And if I manually generate a new certificate from this CA using openssl, it comes out as expected.

Code:

# openssl verify -CAfile ./ca.crt ./manual-new.crt
./dev.mergebot.com.crt: OK
# openssl x509 -noout -in manual-new.crt  -issuer
issuer= /CN=ca.[MASK]/C=[MASK]/ST=[MASK]/L=[MASK]/O=[MASK]/emailAddress=[MASK]

So something seems to be amiss with how FreeNAS is issues certificates from a given CA through the interface.

 

[hjl3]

Still haven't figured out how to deal with this without either managing the CA elsewhere, or creating a new CA. I'd rather keep using FreeNAS to manage my CA. It does not make sense how it seems to reorder the properties within a DN of the issuer of a new certificate...

Tested creating a new CA, and then generating a new certificate from that CA. Works fine, since the ordering of the properties in the DN is the name...