Just got this response, had been getting responses, ok.
I would expect OpenSSL to automatically use the correct version number. Perhaps it's a bug, or it's not aware of the extensions for some reasons?
When I create a certificate with extensions, the version number is 3. See the section "Creating Certificates Valid for Multiple Hostnames" in OpenSSL Cookbook https://www.feistyduck.com/books/openssl-cookbook/
I've just added this explanation to the error page (in the development version):
"the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed."
I suspect this problem is going to exist (only?) in self-signed certificates, because CAs will correctly specify the version number.
Thanks for that.
It's a self-signed cert all right.
Have you any pointers as to what I need to do to make openssl create a V3 cert?
I imagine there are some fields and/or switches I'm missing; Is there a well-defined list anywhere.
Certificates were indeed being created at V1 - but with V3 extensions, I think this might have been due to having extensions specified in the .csr, but not actually supplied when the .crt was generated. At least a "feature", if not a bug.
I don't have my original script anymore, so I can't reproduce to be sure, though.
Retrieving data ...