I know the public key is included in the private key but I don't know how to separate it. I read apps/req.c,it just calls X509_REQ_set_pubkey(req,pkey),which pkey is still the private key. I wonder why it works normally.
I guess I misunderstand something,so I turn to your help.
After I call EC_KEY_set_asn1_flag() before EC_KEY_generate_key(), the self-signed certificate(ca.der) is generated successfully without prompting "signature corrupt".
Thank you, Dr. Henson and Ryan.
But I still have another question though it is not critical.
I use Windows 8 and IE10 now.
When I double click ca.der and install, if I choose 'Automatically select the certificate store based on the type of certificate',then the self-signed certificate will be in the 'Intermediate Certification Authorities',not 'Trusted Root Certification Authorities'.
If I choose 'Place all certificates in the following store' and select 'Trusted Root Certification Authorities', I can find the certificate in 'Trusted Root Certification Authorities' as I wish.
The automatic import activity on Win8 is a little different from it on WinXP.
Maybe it's a new OS security policy, I don't know.