I am trying to identify if I made a judgment mistake. Background:
We recently had to create a new sub ca and during that exercise of brining the root CA online, we decided to update the certificate with a SHA256 signature. What we did: We resigned the ROOT CA, keeping Serial Number, Issuer, Validity, Subject, and Subject Public Key Info exactly the same. All tests indicated this was fine. We then started updating our servers, giving them the newly published SHA256 version. As shown in the below thread, Firefox gave a SEC_ERROR_REUSED_ISSUER_AND_SERIAL error. Certificate specimens at the bottom of the email. Question: Is this a valid error condition? If the certificate contained different keys or values, then the serial should be different. In fact it is a cheap action to issue new certificates for all but the ROOT, so one would never need or want do this. If this is a valid error condition, is the proper action to issue a new root, cross sign it with the old and start distributing the new ROOT? -Jason > -----Original Message----- > From: Kyle Marek > Sent: Wednesday, June 15, 2016 16:27 > To: Jason Pyeron > Subject: Re: SSL/TLS > > It was complaining about the root. After extracting your > "new" CA with openssl's s_client, I replaced the cert in my > browser with the "new" one and now it works. I think it just > didn't like that the CA your site was presenting, and the CA > in my cache were "different", yet had the same serial. > > The fingerprint changed, as well, even though the public key > modulus is the same. > > On 06/15/2016 04:02 PM, Jason Pyeron wrote: > > Is it complaining about the ROOT or server cert? > > > > The ROOT was "resigned" with sha256, it should not complain since the > > cert subject and issuer and dates and keys have not changed, hence the > > serial should be the same. > > > > The serial for intranet is unique. > > > >> -----Original Message----- > >> From: Kyle Marek > >> Sent: Wednesday, June 15, 2016 15:58 > >> To: Jason Pyeron > >> Subject: SSL/TLS > >> > >> From Firefox: > >> > >> An error occurred during a connection to intranet.pdinc.us. > >> You have received an invalid certificate. Please contact the server > >> administrator or email correspondent and give them the following > >> information: Your certificate contains the same serial number as > >> another certificate issued by the certificate authority. Please get a > >> new certificate containing a unique serial number. Error code: > >> SEC_ERROR_REUSED_ISSUER_AND_SERIAL > > OLD: -----BEGIN CERTIFICATE----- MIIKbTCCBlWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBhTEVMBMGA1UEAxMMUEQg SW5jLiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNV BAcTDkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3 DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwHhcNMDQxMjE2MTgzODM0WhcNMjUwMTE1 MTgzODM0WjCBhTEVMBMGA1UEAxMMUEQgSW5jLiAoQ0EpMQswCQYDVQQGEwJVUzER MA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcTDkJhbHRpbW9yZSBDaXR5MREwDwYD VQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMw ggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQDXwHy+ryMSQ8Qv+KfSXL/M PtSnTHTLMhJ2gzAFpOoS456MAoBUw+mD4XqOmQIDIfAxihrQiuENz4dra3laTVUW xmWTro1MXn4ssNcMMWVG0C5hVJUgGI0gxZW0/9yRHT57ZYC1qkKOIfZ3BkY5D9Jo Jj8I8vpVUEVqop1Uia97oV230x1s530Ymo9zBk4dh5A5CJH+6jpyK7GtATloBAJF cw3LDSA3A46m2srGFlreYJAxewhSF6G8z4hasSMBn/XJYf9Ttoyj7VwxIpNRwDf+ Ert38SOG0VFtjTGAe/qNj9HZV9w9iEK3itnOFUnHR8JDC6HtaDnfkKF5hV0uLaS9 HU//KHkdbXmC2iNGEJkTPiJh+RbzIIWUUKE9nlYc+9z9GsoQZzaoMRIqofiL8SRz D7geM+lNG7VyuhDABdkHEY2wt9vFBF/JddWgNHC7IGf89n1NkehHcOHYXYhu4drl qImrCI0eiUU/wZzRX7HzBGvP5o+caUiLGi2HcgCOmuI/gX4smLFodleMwCOWsstB XbUdOb8TTQZLicAsp0ywBf8KYsuNJFCI+RnqHWXuOOCLE2yRjD7n3igMcfpKRWuV ShJ11IrM5xP/B2wDqNFf4QJtRDcsVRj+0z4l/rynq09TZWPYzKfTT9NTcd/Wkv7I cwS1U4aQCBVqZQXdv+Ay4JYsZzXlo/ebx2gO4xsgijpsM0I1/6B30fl43Dq9YJ7E x7gxFrnaa4IiRWq83oW7xSqp4nhjr4319l2KjYMWY0mU7Fn/bE5wF3Vy2DbPSH3/ gX55GNBcdg5XD4oY++qiPoGCR6oqQSaoeczVNTMsboYWC5FRRO58JmDNy+b2spnk cnSQsFYd5qtE6xtXqQL67ORtanKErpEHURExyTG+gZJSD5FPJzMc9p3Ndop3SZsE 4Ptm1BjzANAadw5ZWKyrMbiHLTkAVzswedyx6LwZjUvEivvOwfSzj5/EzHBNN6s2 M7HYMO9+wMG5v+wQag7mFN68Qc58dDFY++v0M45bhjpHFe8G7WcqqgHjk/mbw6Ey iBsO+BIkoW3ydQ/eOQR8M0whupV11rtj5fE53f6v67U/gWr/s/INCfaRf6S9+kuq ohwzxcPOYwxWOQiNE6sU0ZJz27IOcVubFBk+aahUQF69GEuhYpCrINLArAeYJzJc B6CnZUXvTxeAL7RvH9y2hWuRIG5CRx9PmNH8qgVSdfiyDw7Bs9JR22AUYO0SVTtt gc/6wYyTgySWooZJXUYVUgg2nqrGLwIYZzbZOWEY9W6tsA7bH+dZWv9Mp7ImW570 mFxxrTp/FB76yrKTu+obTDFbnztlcVTyG/jzzpRRTwxvY6eIYuykTdUoZNje1nV1 AgMBAAGjgeUwgeIwHQYDVR0OBBYEFBuQ9waOuGEa6ezybJgYIhwcVuFeMIGyBgNV HSMEgaowgaeAFBuQ9waOuGEa6ezybJgYIhwcVuFeoYGLpIGIMIGFMRUwEwYDVQQD EwxQRCBJbmMuIChDQSkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEX MBUGA1UEBxMOQmFsdGltb3JlIENpdHkxETAPBgNVBAoTCHBkaW5jLnVzMSAwHgYJ KoZIhvcNAQkBFhFzZWN1cml0eUBwZGluYy51c4IBADAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBQUAA4IEAQCfmjIDpAkN/RmCf7XJptN8bmZchk/vbGoa+yAfGZ7n jA0ePo7ZnDJCog+TADhN0cOQaRAbrlqKjYWLHcktcDRMiYp4usCN2gaCstU5ol9s guawwWjgOg4w33wiTC2Hq+9MF+wLu+qRqxN8Z2qcMamFBWb66mmo71z5OJvjD6xW OAXk5c8gLd3+QqFrAYz0rr5WEgpMsaLzhwzQCJp2LUbOGvrXym9nbzGviU32/VOl hfVH4kzHwXbmBNU7TYmOucUTZ2GjpFnorI1SGv8S0+teWfuqBdwvM3W7/7OGaxyx +zP4SJ0c0EESGmN1Yd7QV3BaRzAis6p2Sj6si82KIpbHzzOcqmvtp6T3VMpdiLwD OEWIaYO4PMbN+Zrk6vQXkNntZ2Cr6lMxl/4bSGJve/pOd3zOyS3+A2xHIoA1701l dhekdSCMvcVZon+6ncQbe2SJOw2ZqrVovUQFdIBqzvDaGGC+cQwzNr4j31cywe9a Hcs+lUNhhz0m3qnMB4koI6zIZU9gNdi75yKyadLGJOlo5wWVwnVT/XP2jnA72J0J lwnrBf1h26CScOlPBA63KsLObfWdt61h7QlEBEGK5jnDY16wkxYsAMtazjmYQio9 zotNT0ZGCfHqnTrjQY+F0tGJOweSLqKTg94DkhQHg5LNg2+g6mL5WwkYH3XSB7Yq l+FpclzjuWac0Sesrd0GR0yATiFjcs5QBxH0bXdWtRFlp8NHdmE/o4bSLUVQhuJA ecJhuMJYIY+Jd5kDcmG3i6wDrKCzWcDa4goNqb3E3o5BxROOWffdvhxXQP5ziMth ZBN9ovXrv78ClGHIWpoZ4XaU6jPSqlyjpE0Twkapx4N9jVvGu6uGj/Geb7oa0Wmk af7L8WaEoQ6TRSK0SlWtSdUt+L3KaCeyaDijfTsh2i39u9nwVf4dLJAv1Wj7UsJ1 LX4hyuhngOnWcT0zmeRyHhTWD1HF5Dxgq2Rk58gxFg2FlklEGeI+OzhgW+O17ZG7 iD2opp/FdNHsbFB8aA+jd2tVi2zWaH4aEnDoyN5AvIo04wLoIotZ/zIUI0QM/BDr EG4SEEEey5l5KWejjI4zA5+klPryxuLDuK9kycDjaJwJwA4/7AocSOVa/Aflu2Zw S74CHswtEvxlVKQq1wOyCsR5H4oPC7yG2wjKrQeJNuR4pI+rLuOGWDZyqOVacNxf jexrSP3jfGg9r+oqMxLv6eZ5N4N0iruip6xuyWROA+bv7aI03n7k79XTxhXX2oW+ wA4AkVyMgFb+vqyD9z4Re00JVNV7TtG6XVwxa3L3xNcWhiUFfaVK4YDrWPNi1Nyu I3nOUuo2z8oAg1G3qmUT7FH0LxD/lNZWhI3JvGX9UikK -----END CERTIFICATE----- NEW: -----BEGIN CERTIFICATE----- MIIJ/TCCBeWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEVMBMGA1UEAxMMUEQg SW5jLiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNV BAcTDkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3 DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwHhcNMDQxMjE2MTgzODM0WhcNMjUwMTE1 MTgzODM0WjCBhTEVMBMGA1UEAxMMUEQgSW5jLiAoQ0EpMQswCQYDVQQGEwJVUzER MA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcTDkJhbHRpbW9yZSBDaXR5MREwDwYD VQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMw ggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQDXwHy+ryMSQ8Qv+KfSXL/M PtSnTHTLMhJ2gzAFpOoS456MAoBUw+mD4XqOmQIDIfAxihrQiuENz4dra3laTVUW xmWTro1MXn4ssNcMMWVG0C5hVJUgGI0gxZW0/9yRHT57ZYC1qkKOIfZ3BkY5D9Jo Jj8I8vpVUEVqop1Uia97oV230x1s530Ymo9zBk4dh5A5CJH+6jpyK7GtATloBAJF cw3LDSA3A46m2srGFlreYJAxewhSF6G8z4hasSMBn/XJYf9Ttoyj7VwxIpNRwDf+ Ert38SOG0VFtjTGAe/qNj9HZV9w9iEK3itnOFUnHR8JDC6HtaDnfkKF5hV0uLaS9 HU//KHkdbXmC2iNGEJkTPiJh+RbzIIWUUKE9nlYc+9z9GsoQZzaoMRIqofiL8SRz D7geM+lNG7VyuhDABdkHEY2wt9vFBF/JddWgNHC7IGf89n1NkehHcOHYXYhu4drl qImrCI0eiUU/wZzRX7HzBGvP5o+caUiLGi2HcgCOmuI/gX4smLFodleMwCOWsstB XbUdOb8TTQZLicAsp0ywBf8KYsuNJFCI+RnqHWXuOOCLE2yRjD7n3igMcfpKRWuV ShJ11IrM5xP/B2wDqNFf4QJtRDcsVRj+0z4l/rynq09TZWPYzKfTT9NTcd/Wkv7I cwS1U4aQCBVqZQXdv+Ay4JYsZzXlo/ebx2gO4xsgijpsM0I1/6B30fl43Dq9YJ7E x7gxFrnaa4IiRWq83oW7xSqp4nhjr4319l2KjYMWY0mU7Fn/bE5wF3Vy2DbPSH3/ gX55GNBcdg5XD4oY++qiPoGCR6oqQSaoeczVNTMsboYWC5FRRO58JmDNy+b2spnk cnSQsFYd5qtE6xtXqQL67ORtanKErpEHURExyTG+gZJSD5FPJzMc9p3Ndop3SZsE 4Ptm1BjzANAadw5ZWKyrMbiHLTkAVzswedyx6LwZjUvEivvOwfSzj5/EzHBNN6s2 M7HYMO9+wMG5v+wQag7mFN68Qc58dDFY++v0M45bhjpHFe8G7WcqqgHjk/mbw6Ey iBsO+BIkoW3ydQ/eOQR8M0whupV11rtj5fE53f6v67U/gWr/s/INCfaRf6S9+kuq ohwzxcPOYwxWOQiNE6sU0ZJz27IOcVubFBk+aahUQF69GEuhYpCrINLArAeYJzJc B6CnZUXvTxeAL7RvH9y2hWuRIG5CRx9PmNH8qgVSdfiyDw7Bs9JR22AUYO0SVTtt gc/6wYyTgySWooZJXUYVUgg2nqrGLwIYZzbZOWEY9W6tsA7bH+dZWv9Mp7ImW570 mFxxrTp/FB76yrKTu+obTDFbnztlcVTyG/jzzpRRTwxvY6eIYuykTdUoZNje1nV1 AgMBAAGjdjB0MCQGA1UdHwQdMBswGaAXoBWGE2h0dHA6Ly9jcmwucGRpbmMudXMw DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUG5D3Bo64YRrp7PJsmBgiHBxW4V4wHwYD VR0jBBgwFoAUG5D3Bo64YRrp7PJsmBgiHBxW4V4wDQYJKoZIhvcNAQELBQADggQB AGXFhF6L4XiAxk7GiAYNdJApDH2O317WMQAxRNp9EtjxCQJ5/0LaPyWCukg35lhm g0wI/+yaotuGRj6Cvxl0BIILpH44VipKhouD1GbfIfbFCf5H44qr+9LqB2fT1jeN DJzHJdFrjw097ZYTSVe41Woda0SZ5RL8ZSh0K3BLAkiGwwZdPSP34J1L8OeEpwUr u/PxXJl1ELjHOkMmI47DSXvIMAZDsxzafAcJXp9duc2VXArFV1mMNR61Y/A5PMgm Hg5T4GYyDYCS+LekPvA77qdHRSN5y58DyhCpq/Yd3H9mldjEL13l4C3u15Wb71Og J7YJH/ojPRj2S6ffBE/SXrcbzUmUJ7nw3YNmg03mveocXxwZZVaPKYVeCaxd/9sB toVX1GpidbZNX1T5eqLn1b9VVsBGBOyfxGgi95PT2tMB9C4ZW3jRfC1w0IRExTdP QOniXn6X25KvmNafdjyVioTicc1KjRfSBuBcJtNq7PgpEMZBuAbGp24+Fv2xBSTM 5wNw9/mV1GKuXr5y7WYKVMLdmTkyme8X472FsnknbfER+ydSRwN0hYw4ub2Y2MP+ BeMmwOC3PhVZExnw+JOgztOT2CXjtb5/Rg3AwZbImemYYUROCoYFVuziAIoEIVDD /uQANHMq5GU6C0zw6Qpt2AdNhlP3hLTuTa37JDNhxx2G8PDivYqRY5vyLW8pAYHn 9VeTrkKGI9qdzDGnjLszsbmcILPQIV5SsPteSJSGc5yAdaCSs7SJq9seahtaKVwU Ecc+F4FiH9K57xm8FSuoXQhvhrFrhh1e1p/18HjjevX4IYo0sbA3VU/mzM0BKkJI Z0JMkspHEjHJGteIsaG4HwF2r6HZzuGf7H9MKWWQh5Y0vRK4brvC6tYIoAoqyzEB aypQ5QLQtwLmPnZ4ZTBIx7eyl80IcsUE334s3MNwMwY1a+u/uM+oWqfZXH6B7Ez4 snMOewOp9DdDAq+iWZELJEKdTAOPY6J5EnFmtjxEwaOoa2TpjzESyGHY2qab1RAv 3aMpMGE8Vw8wtt+99f8BfHmk28hvEArPUCY/lX69l3XJohYeERv4JwoIQnAlByRf moOndJQ9/utfqIhwmJawyfVWBZt/GhwbFSdsTSG9OnYPi7+644Y+O63nLIK5uZqs 2vylWgad3BtDfw1WGy8e3K2krbqQpnlv8U+UkZ4jUF3Shpw5cumbKKcbT/uVmjjp Z8vz/fdNwIhSZ52rO/DWoPRoKONlIE9mHrQN0Cgh0ATvN23pgIq6enQJYOLii7rx pacsT4sqhfF16Z+XYoLmFTviXhHRlwk64lCb/Rpfw5xps2Fx5F0ypxOW5CUPmVDN l2QoNgjBLmaQdHUNTGoi43k= -----END CERTIFICATE----- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto