On Mon, Sep 02, 2002, Olaf Zaplinski via RT wrote: > > > This is what I did after 'make install': > > cd /usr/local/ssl > mkdir rootCA > [edited openssl.cnf and adjusted the paths accordingly] > cd rootCA > touch index.txt > [edited serial and inserted one line containing '00'] > > So index.txt was a zero byte file, serial contains '00'. > > Then I created the CA and the 1st server cert w/o problems. The 2nd cert > signing fails then. >
That is the problem. You should not create 00 in the serial file because the serial number 00 is used by default for the root CA. You should instead use 01. This is mentioned in the EXAMPLES section of the ca manual page and CA.pl does this. OpenSSL shouldn't corrupt index.txt though even if serial is 00. The issuer name and serial number has to be unique according to various standards and having duplicates can confuse certain software and cause had to trace problems later: such as bogus verify or signature failures. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
