[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Renewing a CA root certificate
From:       "Dr. Stephen Henson" <steve () openssl ! org>
Date:       2005-11-26 0:41:45
Message-ID: 20051126004145.GA48839 () openssl ! org
[Download RAW message or body]

On Sat, Nov 26, 2005, Jason Haar wrote:

> Arsen Hayrapetyan wrote:
> > A solution could be one which Jason described. May be the reason by
> > which the new root certificate is not recognized is that the serial
> > number was changed?
> >   
> 
> Could very well be the case. Our original CA had a serial number of "0".
> This has proven to be a bad move as Cisco IOS refuses to accept a CA
> cert with such a value (even though the RFCs state a serial number must
> be an integer, and last I looked, zero is an integer...) So I when I
> resigned the CA I gave it a serial of "1" so as to "fix" that problem.
> 
> As I am keen to gain the ability to sign Cisco certs, I'm going to
> simply start a "new" CA. We'll reconfigure all our servers to accept
> both the old and new CA, and then simply phase over all new signings to
> the new CA.
> 

Well the RFCs say a non-negative integer at one point and that non-negative or
zero is non-conforming in another.

I heard from the authors that the intention was to only allow positive
integers so now OpenSSL created serial numbers (using CA.pl for example) will
always be positive.

Changing the root serial number to 1 (using the same DN and key) will cause
problems if a certificate with the same serial number signed by that CA
already exists. This is due to the fact that issuer name and serial number
must be unique and this can cause all manner of problems with some software if
duplicates exist.

Because it was possible to create duplicates by entering the same details
twice the latest versions of OpenSSL don't start from '1' any more but instead
generates a random number.

So using the "offical" methods of certificate creation and signing (CA.pl)
that shouldn't be a problem. However lots of unofficial "cookbooks" still
exist which often manually create serial number files.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]