[OpenCA-Devel] CA Certificate serial number.

Thu, 17 Mar 2005 05:19:45 -0800 

  Hi,

  What serial number CA certificate should have?
  man req states that serial number 0 will be used when generating self
signed request with "openssl req -x509", unless -set_serial option is
used. But on my Sarge machine, generating selfsigned certs produces
certificates with serial numbers different from 0 and each time
different. Here's example on careq.pem:

[EMAIL PROTECTED]:~/crypto$ openssl req -x509 -key
keys/cakey.pem -in reqs/careq.pem -noout -text -passin file:pswd |grep
-A 1 Serial
        Serial Number:
            fa:5c:95:05:89:7d:cb:28
[EMAIL PROTECTED]:~/crypto$ openssl req -x509 -key
keys/cakey.pem -in reqs/careq.pem -noout -text -passin file:pswd |grep
-A 1 Serial
        Serial Number:
            be:31:23:0b:b5:be:e6:3e
[EMAIL PROTECTED]:~/crypto$ openssl req -x509 -key
keys/cakey.pem -in reqs/careq.pem -noout -text -passin file:pswd |grep
-A 1 Serial
        Serial Number:
            cb:8a:8b:f8:2e:d0:97:d5

Examining CA certificates of my Firefox cert manager, I've found
certificates with serial number 00, 01 and those like I get.

  The problem is, that these serial numbers cause command
"rebuildOpenSSLindexDB" called from Node->Administration->Backup and
recovery->"Rebuild OpenSSL's database and next serialnumber" to fail
with this error:
Loading the Objects ...
VALID_CA_CERTIFICATE: 7FFFFFFF

Error 700
General Error The compilation of the command cmdRebuildOpenSSLindexDB
failed. panic: array extend at /usr/share/openca/functions/crypto-utils.lib
line 369.

If I change genCert in OpenCA/OpenSSL.pm to use '-set_serial 0' then
rebuilding works fine.

So is this:
1. Bug in Debian's openssl
2. Bug in OpenCA.

Anyway, OpenCA should give a warning if it doesn't like Certificate's
Serial IMHO.

OpenSSL 0.9.7e
OpenCA: 0.9.2.2 and 0.9.2.1
DBI:    postgres
Perl:   5.8.4

  Best wishes

PS: I've posted this on openca-users but didn't get any reply. Is the list
somewhat less active last weeks?

--
Alexei Chetroi

Smile... Tomorrow will be worse. (c) Murphy's Law


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to