pierre lhostis wrote: > Hello all, > > I have got a simple question. > I noticed that using OpenCA I am able to issue 2 certificates with the > same CN, same mail-address, same OU, same O, same role (same everything > I guess) with the obvious difference being that the serial numbers are > different. I did not check what it implies managing LDAP, I guess it > should be trouble. > > So, I would like to know if it is normal behaviour for a CA to be able > to deliver two certificates with the same information in the DNs even if > the serial numbers are different. > To clarify this a bit: - there is a serial number, which every certificate has and which is the truly unique identifier for this certificate regarding to the issuing CA - since also in a crl only the serial number of the cert is available at a minimum
- there is the dn which doesn't have to be uniuqe but can contain the serial, so it becomes unique even if all other fields are the same - so it is possible and even standard conform to have certificates with the same dn, becouse they are unique in the serial always - this may lead to problems in ldap - right, but this is a policy question of your organisation how to handle this, if you allow this and so on..., but usaly its no problem to have more then one certificate in an ldap assigned to a node - afair you will simply have several certificates available then... but i'm not sure abaut this - openssl doesn't support non-unique dns by default there is a patch for 0.9.7c i think which 'fixes' this and introduces a new commandline option for ca.c of openssl, which openca uses if you set configuration to use non-unique-dns - openssl includes this kind of support into 0.9.8 series but will use a different command line call for this, as far as i have the comment from openssl in mind greetings dalini ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
