On Fri, 2005-09-02 at 16:37 +0200, Ives Steglich wrote: > John A. Sullivan III wrote: > > > I used openssl x509 to examine the subject of every cert in > > var/crypto/certs. Somehow, the very last two have the same DN. I > > quadruple checked and they match character for character including > > checking for terminating or initial spaces. > > > i think this is exactly the problem or better openssl does have here ;) > > > Could this be creating this problem? If so, how do I safely remove them? > > Can I revoke them or, as I would suspect, will this create still show > > duplicate DNs in the database? Thanks - John > > no revoking would just add it to the crl if you issue one > but it would still appear in the list of issued certificates of course > but you can try to remove one entry from the openssl index file, usaly > this should help > > (i'm not sure if openca may rebuild this from its own database, you it > would maybe add this entry again - just try... otherwise you have to > remove it from the internal openca db too, would be easy if you use a > real sql system...) > > so next time you can just check var/crypto/index since this is the > internal openssl db... if you find there a line with the same DNs > openssl will usaly fail to operate... with this kind of error message > you have <snip> Ok - it's starting to make sense. I did speak to the operator who issued the duplicate DN cert. He said that he did indeed delete the existing entry from the index file and then was able to create the cert. I suppose it is coming back to bite us.
We are using PostgreSQL for the database. I am assuming that I would need to: 1) remove the entry from the index file in crypto on the CA 2) remove the row from the CA Pgsql database certificate table 3) remove the corresponding row from the CA pgsql database request table 4) remove the row from the RA pgsql database certificate table (RA is on a separate computer) 5) remove the corresponding row from the RA pgsql database request table 6) remove the entry from the index file in crypto on the RA 7) rebuild indices on both the CA and RA Does this catch all the dependencies? Is it overkill? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
