On Sat, Feb 25, 2006, Kyle Hamilton wrote: > Is there a way to specify the old behavior? (I'm collecting as much > information as I can on current practice and putting it all together > -- the overloading of 'authorityKeyIdentifier' is only part of the > problem with current X.509 practice, and that overloading creates a > situation where software makers introduce incompatible changes -- I've > got logging software and log processing software that relies on the > former, serial functionality.) >
It was introduced as a bug fix to stop OpenSSL producing invalid certificates under certain circumstances. A clarification indicated that zero was considered an invalid serial number. Issuing certificates with duplicate issuer and serial numbers is illegal and can cause strange problems which are difficult to diagnose. If you want to keep the previous behaviour when you use "openssl req -x509" you have to explicitly use the -set_serial option. The other case is where a serial number file is created. To keep the old behaviour you need to explicitly create a serial number file with the appropriate value. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
