Stefan Kelm <[EMAIL PROTECTED]>:
>>>> I have realized that a root-cert that was generates via req -x509...
>>>> always gets the serial-number "00". I think this could lead to some
>>>> trouble if you want to renew the root-cert (for whatever reason) with
>>>> the same subject name. So it would be good idea to use the value in
>>>> the file "serial".
> I can't see why root certificates always have
> to have a serial number of 00 and why neither index.txt nor serial are
> being used by the applications in this case. Many CAs may want to choose
> values different from 00 even for root certificates.
OpenSSL currently thinks that the DN can be used as a primary key for
certificates, so the very concept of reissuing a certificate is
problematic now. One first step to make things right is to use the DN
plus any key identifier that may be available, but this does not cover
re-issued certificates. Possibly it makes sense to stop searches at
the first matching certificate that is valid according to the system
clock, with the option to specify some other time to be used instead
of the current time; and if someone re-issues a certificate with the
same DN and key identifier, an overlapping validity period and further
changes that lead to complications, we'd just claim it's their fault
alone.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
