Christophe Bailleux schrieb: > > Hi, > > RFC 2459 states the following (see section 4.1.2.6, "Subject") : > > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer name field. A > CA may issue more than one certificate with the same DN to the same > subject entity. > > However, I couldn't find a way to have OpenCA create more than one > certificate for the same DN. Reported error is : > > General Error Trapped 6735: A Valid Certificate with same DN exists! at > /usr/loc > al/OpenCA/lib/functions/misc-utils.lib line 38. > Compilation failed in require at /usr/local/apache/cgi-bin/ca/ca line 194. > > It seems OpenCA refuses to do so, using the certificate's DN as an unique > identifier. I though i could use more than one certificate per user, using > for LDAP the same DN and many usercertificate;binary attributes ?
The problem is not OpenCA. OpenCA manages the certificates by the serial and by the certificate itself. The problem is that we use OpenSSL to create the certificates. OpenSSL's index.txt cannot handle certificates with the same DN. Therefore OpenCA checks the DN. Dou you really need certificates with the same DN? There are two ways: 1. patch OpenSSL 2. - use a new (and empty )index.txt at every time - build a new index.txt from OpenCA's database if we try to issue a CRL Any comments to these ideas? Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
