From 69aaa20b1af43f4e949e899c86cec62ee011d750 Mon Sep 17 00:00:00 2001
From: msi-debian <msi-debian@ZackGameServer.search.charter.com>
Date: Thu, 6 Mar 2025 12:29:13 -0700
Subject: [PATCH 1/2] Initial Fix

---
 src/tpm2_wrap.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
index 3a417f4..5b43f07 100644
--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@@ -277,7 +277,13 @@ WOLFTPM2_CSR* wolfTPM2_NewCSR(void)
             csr = NULL;
         }
         if (csr) {
-            csr->req.version = 0; /* per RFC2986 : CSR version should be 0 */
+            /* Set version to 2 for self-signed certificates, 0 for regular CSRs per RFC2986 */
+            if (csr->req.selfSigned) {
+                csr->req.version = 2;
+            }
+            else {
+                csr->req.version = 0;
+            }
         }
     }
     return csr;
@@ -7211,7 +7217,13 @@ int wolfTPM2_CSR_Generate_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     XMEMSET(&csrKey, 0, sizeof(csrKey));
     rc = wc_InitCert(&csr.req);
     if (rc == 0) {
-        csr.req.version = 0; /* per RFC2986 : CSR version should be 0 */
+        /* Set version to 2 for self-signed certificates, 0 for regular CSRs per RFC2986 */
+        if (selfSignCert) {
+            csr.req.version = 2;
+        }
+        else {
+            csr.req.version = 0;
+        }
 
         rc = CSR_KeySetup(dev, &csr, key, &csrKey, sigType, devId);
     }

From 250fa3923f5d80329428bab16f91f726e470cad6 Mon Sep 17 00:00:00 2001
From: night1rider <zackery@wolfssl.com>
Date: Thu, 6 Mar 2025 16:49:13 -0700
Subject: [PATCH 2/2] Revert setting version in CSR Init, and Version Change to
 MakeAndSign_ex

---
 src/tpm2_wrap.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
index 5b43f07..0fa2290 100644
--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@@ -277,13 +277,7 @@ WOLFTPM2_CSR* wolfTPM2_NewCSR(void)
             csr = NULL;
         }
         if (csr) {
-            /* Set version to 2 for self-signed certificates, 0 for regular CSRs per RFC2986 */
-            if (csr->req.selfSigned) {
-                csr->req.version = 2;
-            }
-            else {
-                csr->req.version = 0;
-            }
+            csr->req.version = 0; /* per RFC2986 : CSR version should be 0 */
         }
     }
     return csr;
@@ -7186,6 +7180,14 @@ int wolfTPM2_CSR_MakeAndSign_ex(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr,
         return BAD_FUNC_ARG;
     }
 
+    /* Set version to 2 for self-signed certificates, 0 for regular CSRs per RFC2986 */
+    if (selfSignCert) {
+        csr->req.version = 2;
+    }
+    else {
+        csr->req.version = 0;
+    }
+
     rc = CSR_KeySetup(dev, csr, key, &csrKey, sigType, devId);
     if (rc == 0) {
         rc = CSR_MakeAndSign(dev, csr, &csrKey, outFormat, out, outSz,