Michael,
Michael Pratt wrote:
So yeah, it was definitely an oversight on our part, but it would still be
nice if this was documented. I couldn't find in any of the docs (
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52) where it stated DS
would behave that way if the serial number wasn't unique.
Of course, this
may be such common practice (or even the standard) that documenting it
seems
silly, I don't know.
That's correct. A certificate must be uniquely defined by its issuer and
serial number. That's one of the foundations of PKI and required by X509
. You can't expect NSS, DS, Mozilla or any other product to operate when
this assumption is broken.
You should revoke that serial number if you reused it multiple times,
and start issuing new ones. Or better yet, create a new issuer and start
fresh. It helps if you use a CA product to manage your PKI rather than
scripts.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
