> From: [email protected] On Behalf Of Al > Sent: Monday, 16 November, 2009 15:40
> I am trying to create a certificate that is already revoked > (for testing purposes). I noticed the CRL has the SNs of the > certificates and i am wondering if i could set the SN to Yes, certs are identified for many purposes, including revocation on a CRL, by serial within CA. > revoked cert SNs during new certificate creation? > This is not entirely clear; I assume you mean create a new cert with a serial that is already on a CRL issued by the (same) CA. (You can't change the serial on an issued cert; it's part of the signed content. You legally could create/issue a new cert, with new CA/serial, and all other contents the same as an existing cert, even validity. But it's usual to redo the validity. Having the same serial on CA2 as on CA1 is totally irrelevant.) If you control the CA, maybe; it depends on what the CA software does. A CA is not SUPPOSED to ever issue different certs with the same serial, but you may be able to override or fake yours. openssl ca|x509(ca)depend on text files you can clobber; openssl req(self)|x509(self) obey the command line. If you do create two (or more) certs with the same serial, and both (or multiple) of them are ever present in any environment, you have a very good chance of creating chaos. The purpose of the serial is to uniquely identify the cert within a given CA, and lots of software assumes this. If there are two different certs with the same serial for the same CA, all kinds of things can go wrong that you can spend months debugging. But if you control the CA, you should be able to easily issue a new CRL about as easily as you can issue a new cert. If you don't control the CA, and it is competently run, no. It will always create new certs with unique serials, as it should. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
