On Fri, Oct 10, 2003 at 10:53:09AM +1300, Jason Haar wrote: > It's all working well - until now. We have found that we cannot sign certs > created by Cisco IOS - well it can - but then the Cisco refuses to use it. > Upon talking to Cisco, they say it's because our CA has a Serial number of > "0" - which is illegal(!?). They said this was a known bug in OpenSSL that > was fixed in a later release... > > Anyway, if all that is true, I'd like to simply re-create the CA cert under > a newer OpenSSL release - using the existing private key and serial number 1 > - which for some reason is actually available (the first signed cert starts > at 2 - don't know why!). >
Some results. If I simply renew the certificate - so that the only thing that's changed is the expire date - that new CA cert can be used seamlessly with the existing infrastructure. However, I didn't want that. I wanted to change the Serial number from '0' to '1'. So I renewed it again but set the serial to '1', and it breaks everything :-( Does that sound correct? Even though the private and public key are the same, changing the serial number "isn't allowed"? Sounds like we either tear out our entire PKI infrastructure and start again, or I have to bring up a RA... Well, that's a hard choice ;-/ -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
