On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > It was introduced as a bug fix to stop OpenSSL producing invalid certificates > under certain circumstances. > > A clarification indicated that zero was considered an invalid serial number.
"serialNumber: A unique positive integer." At least I think. > Issuing certificates with duplicate issuer and serial numbers is illegal and > can cause strange problems which are difficult to diagnose. let's see... you're talking about the authorityKeyIdentifier? I thought that that went up 2 steps up the tree and then gave a serial number of cert issued by that CA. And I'm trying to parse this more effectively, can you tell me if you meant something other than: "A CA that issues certificates cannot issue a certificate that has the same serial number as its own serial number"? This suggests that the CA's serial number is imported into the context of its own signatures' serial numbers, even when it's a sub-CA? > If you want to keep the previous behaviour when you use "openssl req -x509" > you > have to explicitly use the -set_serial option. Thank you for the workaround. > The other case is where a serial number file is created. To keep the old > behaviour you need to explicitly create a serial number file with the > appropriate value. ...or just use the one I already have, I would presume? Thanks for your help, Dr. Henson. -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
