Fix SM2 certs to have the correct public key OID

OpenSSL 3.5+ handles the OIDs differently.

Author: LinuxJedi

certs/sm2/ca-sm2.der

@@ -5,11 +5,11 @@ Certificate:
         Signature Algorithm: SM2-with-SM3
         Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
         Validity
-            Not Before: Feb 18 14:27:26 2026 GMT
-            Not After : Nov 14 14:27:26 2028 GMT
+            Not Before: Feb 18 17:56:57 2026 GMT
+            Not After : Nov 14 17:56:57 2028 GMT
         Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
+            Public Key Algorithm: sm2
                 Public-Key: (256 bit)
                 pub:
                     04:21:92:f7:cb:24:df:64:4d:ba:ab:66:7b:83:75:
@@ -29,23 +29,23 @@ Certificate:
                 Digital Signature, Certificate Sign, CRL Sign
     Signature Algorithm: SM2-with-SM3
     Signature Value:
-        30:46:02:21:00:ba:6b:14:b0:ef:08:bf:4c:32:63:62:2e:e1:
-        5d:04:d9:45:04:79:c9:bf:9a:93:9f:05:44:f5:e6:33:64:b4:
-        7e:02:21:00:e3:17:fe:87:35:30:f2:3b:ab:16:2d:5e:30:76:
-        42:4e:cc:85:96:b9:2f:af:55:00:a5:4f:43:7c:13:54:3f:4f
+        30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25:
+        9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f:
+        9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69:
+        bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5
 -----BEGIN CERTIFICATE-----
-MIICljCCAjugAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
+MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
 BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
 U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
-Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE0
-MjcyNloXDTI4MTExNDE0MjcyNlowgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3
+NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
 b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP
 MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
 hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm
-U1NMMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEIZL3yyTfZE26q2Z7g3WpKef/
-ZGO21UKAIL3i4gISO460AJUJgMtW7UvKjVfmrgXTdidjcTmJt2nmSICu0alIEqNj
-MGEwHQYDVR0OBBYEFEcKSH67AqhaJlcrGal7YYt/XZluMB8GA1UdIwQYMBaAFDQd
-eUQVeaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgGGMAoGCCqBHM9VAYN1A0kAMEYCIQC6axSw7wi/TDJjYi7hXQTZRQR5yb+ak58F
-RPXmM2S0fgIhAOMX/oc1MPI7qxYtXjB2Qk7MhZa5L69VAKVPQ3wTVD9P
+U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn
+/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj
+YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0
+HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV
+9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ==
 -----END CERTIFICATE-----

certs/sm2/ca-sm2.pem

@@ -2,15 +2,15 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            22:ce:97:23:6f:99:f4:f3:25:25:7e:01:76:ce:ae:80:56:b6:41:d1
+            63:dd:75:63:8a:b0:51:4f:9c:4e:ff:6d:55:4e:cd:ee:8f:26:d3:80
         Signature Algorithm: SM2-with-SM3
         Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Validity
-            Not Before: Feb 18 14:27:26 2026 GMT
-            Not After : Nov 14 14:27:26 2028 GMT
+            Not Before: Feb 18 17:56:57 2026 GMT
+            Not After : Nov 14 17:56:57 2028 GMT
         Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
         Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
+            Public Key Algorithm: sm2
                 Public-Key: (256 bit)
                 pub:
                     04:3a:1d:e8:cb:4b:d3:2e:3f:4b:07:3f:b0:21:fe:
@@ -25,7 +25,7 @@ Certificate:
             X509v3 Authority Key Identifier: 
                 keyid:E4:21:B2:C5:E5:D4:9E:82:CA:F8:67:F2:28:99:F6:85:E8:F1:55:EF
                 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_sm2/OU=Client-sm2/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL
-                serial:22:CE:97:23:6F:99:F4:F3:25:25:7E:01:76:CE:AE:80:56:B6:41:D1
+                serial:63:DD:75:63:8A:B0:51:4F:9C:4E:FF:6D:55:4E:CD:EE:8F:26:D3:80
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Alternative Name: 
@@ -34,30 +34,30 @@ Certificate:
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: SM2-with-SM3
     Signature Value:
-        30:44:02:20:27:71:25:22:69:ed:80:eb:3f:39:0e:7a:9b:a7:
-        22:66:76:ef:d4:b4:5e:e8:8f:47:06:c7:2f:a4:f5:0f:09:6e:
-        02:20:18:f9:bb:4c:4a:a0:a0:c9:ff:42:24:a1:9a:63:6b:ec:
-        d1:25:e5:49:de:bd:83:e0:90:81:f4:23:49:f7:84:6e
+        30:46:02:21:00:dd:98:90:68:35:95:61:2f:11:90:a5:e9:30:
+        8b:9a:aa:33:cc:73:8a:76:96:8b:97:8c:4c:c3:10:fc:14:56:
+        9b:02:21:00:f8:de:db:67:54:59:ca:98:27:3d:3f:f6:6f:30:
+        0c:65:e1:fb:a0:9f:11:ab:ea:76:30:31:c4:66:11:d7:b9:f2
 -----BEGIN CERTIFICATE-----
-MIIDxjCCA22gAwIBAgIUIs6XI2+Z9PMlJX4Bds6ugFa2QdEwCgYIKoEcz1UBg3Uw
+MIIDyTCCA26gAwIBAgIUY911Y4qwUU+cTv9tVU7N7o8m04AwCgYIKoEcz1UBg3Uw
 gbAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
 bWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjETMBEGA1UECwwKQ2xpZW50LXNtMjEY
 MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
-bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNDI3
-MjZaFw0yODExMTQxNDI3MjZaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
+bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNzU2
+NTdaFw0yODExMTQxNzU2NTdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
 dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLd29sZlNTTF9zbTIxEzAR
 BgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
 CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv
-bGZTU0wwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQ6HejLS9MuP0sHP7Ah/sWe
-2co6k5OVdh0w2Qv1Vu0ZYO0BTPZnHfGsqHQNsnfISTjk/0zvjW2H9k7H+Dl0cHC1
-o4IBYTCCAV0wHQYDVR0OBBYEFOQhssXl1J6Cyvhn8iiZ9oXo8VXvMIHwBgNVHSME
-gegwgeWAFOQhssXl1J6Cyvhn8iiZ9oXo8VXvoYG2pIGzMIGwMQswCQYDVQQGEwJV
-UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwL
-d29sZlNTTF9zbTIxEzARBgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53
-b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG
-CgmSJomT8ixkAQEMB3dvbGZTU0yCFCLOlyNvmfTzJSV+AXbOroBWtkHRMAwGA1Ud
-EwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYw
-FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAoGCCqBHM9VAYN1A0cAMEQCICdxJSJp7YDr
-PzkOepunImZ279S0XuiPRwbHL6T1DwluAiAY+btMSqCgyf9CJKGaY2vs0SXlSd69
-g+CQgfQjSfeEbg==
+bGZTU0wwWjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAEOh3oy0vTLj9LBz+wIf7F
+ntnKOpOTlXYdMNkL9VbtGWDtAUz2Zx3xrKh0DbJ3yEk45P9M741th/ZOx/g5dHBw
+taOCAWEwggFdMB0GA1UdDgQWBBTkIbLF5dSegsr4Z/IomfaF6PFV7zCB8AYDVR0j
+BIHoMIHlgBTkIbLF5dSegsr4Z/IomfaF6PFV76GBtqSBszCBsDELMAkGA1UEBhMC
+VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoM
+C3dvbGZTU0xfc20yMRMwEQYDVQQLDApDbGllbnQtc20yMRgwFgYDVQQDDA93d3cu
+d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV
+BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRj3XVjirBRT5xO/21VTs3ujybTgDAMBgNV
+HRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEA3ZiQaDWV
+YS8RkKXpMIuaqjPMc4p2louXjEzDEPwUVpsCIQD43ttnVFnKmCc9P/ZvMAxl4fug
+nxGr6nYwMcRmEde58g==
 -----END CERTIFICATE-----

certs/sm2/client-sm2.der

@@ -0,0 +1,179 @@
+#!/usr/bin/env python3
+"""Fix SM2 certificate SubjectPublicKeyInfo algorithm OID.
+
+OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID
+(1.2.840.10045.2.1) instead of the SM2-specific OID (1.2.156.10197.1.301).
+This script patches the SPKI algorithm OID back to SM2 and re-signs the
+certificate.
+
+Usage: fix_sm2_spki.py <cert.pem> <signing-key.pem> <output.pem>
+"""
+
+import base64
+import subprocess
+import sys
+import os
+import tempfile
+
+EC_PUBKEY_OID = bytes([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01])
+SM2_ALGO_OID  = bytes([0x06, 0x08, 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x82, 0x2d])
+SM2_WITH_SM3  = bytes([0x30, 0x0a, 0x06, 0x08,
+                       0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x83, 0x75])
+
+
+def read_der_length(data, offset):
+    b = data[offset]
+    if b < 0x80:
+        return b, 1
+    num_bytes = b & 0x7f
+    length = 0
+    for i in range(num_bytes):
+        length = (length << 8) | data[offset + 1 + i]
+    return length, 1 + num_bytes
+
+
+def encode_der_length(length):
+    if length < 0x80:
+        return bytes([length])
+    elif length < 0x100:
+        return bytes([0x81, length])
+    elif length < 0x10000:
+        return bytes([0x82, length >> 8, length & 0xff])
+    else:
+        raise ValueError("Length too large: %d" % length)
+
+
+def find_enclosing_sequences(data, target_pos):
+    """Find length-field offsets of all SEQUENCEs enclosing target_pos."""
+    results = []
+
+    def scan(offset, end):
+        while offset < end:
+            tag = data[offset]
+            offset += 1
+            length, len_bytes = read_der_length(data, offset)
+            len_offset = offset
+            offset += len_bytes
+            content_start = offset
+            content_end = offset + length
+
+            if tag == 0x30 and content_start <= target_pos < content_end:
+                results.append((len_offset, length, len_bytes))
+                scan(content_start, content_end)
+                return
+            offset = content_end
+
+    scan(0, len(data))
+    return results
+
+
+def patch_tbs_spki_oid(tbs_der):
+    """Replace id-ecPublicKey with SM2 OID in TBS SubjectPublicKeyInfo."""
+    oid_pos = tbs_der.find(EC_PUBKEY_OID)
+    if oid_pos == -1:
+        return None  # Already has SM2 OID or no EC key
+
+    enclosing = find_enclosing_sequences(tbs_der, oid_pos)
+    size_diff = len(SM2_ALGO_OID) - len(EC_PUBKEY_OID)
+
+    result = bytearray(
+        tbs_der[:oid_pos] + SM2_ALGO_OID + tbs_der[oid_pos + len(EC_PUBKEY_OID):]
+    )
+
+    for len_offset, old_length, old_len_bytes in enclosing:
+        new_length = old_length + size_diff
+        new_len_encoded = encode_der_length(new_length)
+        if len(new_len_encoded) == old_len_bytes:
+            result[len_offset:len_offset + old_len_bytes] = new_len_encoded
+        else:
+            result[len_offset:len_offset + old_len_bytes] = new_len_encoded
+            size_diff += len(new_len_encoded) - old_len_bytes
+
+    return bytes(result)
+
+
+def pem_to_der(pem_text):
+    b64 = ''.join(
+        line for line in pem_text.split('\n')
+        if not line.startswith('-----') and line.strip()
+    )
+    return base64.b64decode(b64)
+
+
+def der_to_pem(der_data, label="CERTIFICATE"):
+    b64 = base64.b64encode(der_data).decode()
+    lines = [b64[i:i+64] for i in range(0, len(b64), 64)]
+    return ('-----BEGIN %s-----\n' % label +
+            '\n'.join(lines) +
+            '\n-----END %s-----\n' % label)
+
+
+def extract_tbs(cert_der):
+    assert cert_der[0] == 0x30
+    outer_len, outer_len_bytes = read_der_length(cert_der, 1)
+    tbs_offset = 1 + outer_len_bytes
+    tbs_len, tbs_len_bytes = read_der_length(cert_der, tbs_offset + 1)
+    tbs_total = 1 + tbs_len_bytes + tbs_len
+    return cert_der[tbs_offset:tbs_offset + tbs_total]
+
+
+def sign_tbs(tbs_der, key_pem_path):
+    """Sign TBS with SM2-with-SM3 using openssl dgst."""
+    with tempfile.NamedTemporaryFile(suffix='.der', delete=False) as tbs_f:
+        tbs_f.write(tbs_der)
+        tbs_path = tbs_f.name
+
+    sig_path = tbs_path + '.sig'
+    try:
+        result = subprocess.run(
+            ['openssl', 'dgst', '-sm3', '-sign', key_pem_path,
+             '-out', sig_path, tbs_path],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            raise RuntimeError("openssl dgst failed: " + result.stderr)
+
+        with open(sig_path, 'rb') as f:
+            return f.read()
+    finally:
+        os.unlink(tbs_path)
+        if os.path.exists(sig_path):
+            os.unlink(sig_path)
+
+
+def build_cert(tbs_der, sig_der):
+    bit_string = bytes([0x03, len(sig_der) + 1, 0x00]) + sig_der
+    cert_body = tbs_der + SM2_WITH_SM3 + bit_string
+    return bytes([0x30]) + encode_der_length(len(cert_body)) + cert_body
+
+
+def fix_sm2_cert(cert_pem_path, key_pem_path, output_pem_path):
+    with open(cert_pem_path, 'r') as f:
+        cert_pem = f.read()
+
+    cert_der = pem_to_der(cert_pem)
+    tbs = extract_tbs(cert_der)
+
+    new_tbs = patch_tbs_spki_oid(tbs)
+    if new_tbs is None:
+        print("  Already has SM2 OID, no patching needed")
+        if cert_pem_path != output_pem_path:
+            with open(output_pem_path, 'w') as f:
+                f.write(cert_pem)
+        return
+
+    sig = sign_tbs(new_tbs, key_pem_path)
+    new_cert_der = build_cert(new_tbs, sig)
+
+    with open(output_pem_path, 'w') as f:
+        f.write(der_to_pem(new_cert_der))
+
+    print("  Patched SPKI algorithm OID to SM2")
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 4:
+        print("Usage: %s <cert.pem> <signing-key.pem> <output.pem>" % sys.argv[0])
+        sys.exit(1)
+
+    fix_sm2_cert(sys.argv[1], sys.argv[2], sys.argv[3])

certs/sm2/client-sm2.pem

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
 check_result(){
     if [ $1 -ne 0 ]; then
         echo "Failed at \"$2\", Abort"
@@ -9,6 +11,15 @@ check_result(){
     fi
 }
 
+# OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID instead of
+# the SM2-specific OID.  fix_sm2_spki.py patches the SubjectPublicKeyInfo
+# algorithm OID back to SM2 and re-signs the certificate.
+fix_sm2_oid(){
+    # $1 = cert PEM, $2 = signing key PEM
+    python3 "${SCRIPT_DIR}/fix_sm2_spki.py" "$1" "$2" "$1"
+    check_result $? "Fix SM2 SPKI OID in $1"
+}
+
 openssl pkey -in root-sm2-priv.pem -noout >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "OpenSSL does not support SM2"
@@ -29,6 +40,7 @@ check_result $? "Generate request"
 openssl x509 -req -in root-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-sm2-priv.pem -out root-sm2.pem
 check_result $? "Generate certificate"
 rm root-sm2.csr
+fix_sm2_oid root-sm2.pem root-sm2-priv.pem
 
 openssl x509 -in root-sm2.pem -outform DER > root-sm2.der
 check_result $? "Convert to DER"
@@ -50,6 +62,7 @@ check_result $? "Generate request"
 openssl x509 -req -in ca-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-sm2.pem -CAkey root-sm2-priv.pem -set_serial 01 -out ca-sm2.pem
 check_result $? "Generate certificate"
 rm ca-sm2.csr
+fix_sm2_oid ca-sm2.pem root-sm2-priv.pem
 
 openssl x509 -in ca-sm2.pem -outform DER > ca-sm2.der
 check_result $? "Convert to DER"
@@ -71,6 +84,7 @@ check_result $? "Generate request"
 openssl x509 -req -in self-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey self-sm2-priv.pem -out self-sm2-cert.pem
 check_result $? "Generate certificate"
 rm self-sm2.csr
+fix_sm2_oid self-sm2-cert.pem self-sm2-priv.pem
 
 openssl x509 -in self-sm2-cert.pem -text > tmp.pem
 check_result $? "Add text"
@@ -90,6 +104,7 @@ check_result $? "Generate request"
 openssl x509 -req -in server-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-sm2.pem -CAkey ca-sm2-priv.pem -set_serial 01 -out server-sm2-cert.pem
 check_result $? "Generate certificate"
 rm server-sm2.csr
+fix_sm2_oid server-sm2-cert.pem ca-sm2-priv.pem
 
 openssl x509 -in server-sm2-cert.pem -outform DER > server-sm2-cert.der
 check_result $? "Convert to DER"
@@ -113,6 +128,7 @@ check_result $? "Generate request"
 openssl x509 -req -in client-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-sm2-priv.pem -out client-sm2.pem
 check_result $? "Generate certificate"
 rm client-sm2.csr
+fix_sm2_oid client-sm2.pem client-sm2-priv.pem
 
 openssl x509 -in client-sm2.pem -outform DER > client-sm2.der
 check_result $? "Convert to DER"