Hm... I don't have the sources for 0.9.7 around, but when I quickly look at the 0.9.9 code, it shouldn't do this (a2i_ASN1_INTEGER() is used to convert the hex text in the file to a BigNum and to address the sign mentioned before: AFAICS that routine requires an ASCII '-' to identify negative values; it does not 'sign-extend' hex digits; besides, if it ad, we'd already been in trouble when the serial went from '7F' to '80')
It may be that apps/ca.c + apps/apps.c in 0.9.7a is not (yet) using this a2i_... function or that there's a typecast to char or some such around (your problem smells a lot like that), so the only way out for now that I can imagine is get an OpenSSL source tree from OpenSSL.org, dump it in a temp directory for testing and build/compile it so you get another apps/ca binary in there; it's not hard to do, so you should be fine. Just read the instructions for configure and make and you should be good to go. Then it will probably work out okay if you copy that demoCA directory of yours over the openssl-testdir/apps/demoCA directory, then try running the newly compiled ca binary to produce certificate with serial '0100'. Should work out all right, though I must state that I haven't used ca+demoCA enough to surpass the byte boundary you've run into. So not a sure solution, but a probable direction towards solving this. HTH, Ger PS: and yes, generally you can replace the demoCA directory across OpenSSL versions of apps/ca, but always test to make sure when you migrate (just a general 'test-before-release' note, nothing particular to OpenSSL). Done it several times myself in my dev/test environments. On Fri, Aug 8, 2008 at 6:26 AM, David Skeen <[EMAIL PROTECTED]> wrote: > Thanks for response! > > Not sure what U are referring to about illegal cert number. > > Here is some more info: > [EMAIL PROTECTED] demoCA]# ls > cacert.pem crl index.txt.old pem serial > certs index.txt newcerts private serial.old > [EMAIL PROTECTED] demoCA]# cat serial > 0100 > [EMAIL PROTECTED] demoCA]# cat serial.old > FF > [EMAIL PROTECTED] demoCA]# ls newcerts > 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem > EB.pem > 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem > EC.pem > 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem > ED.pem > 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem > EE.pem > 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem > EF.pem > 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem > F0.pem > 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem > F1.pem > 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem > F2.pem > 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem > F3.pem > 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem > F4.pem > 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem > F5.pem > 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem > F6.pem > 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem > F7.pem > 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem > F8.pem > 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem > F9.pem > 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem > FA.pem > 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem > FB.pem > 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem > FC.pem > 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem > FD.pem > 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem > FE.pem > 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem > FF.pem > 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem > 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem > 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem > 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem > 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem > > > I am not fully comprehending the whole demoCA procedure, however it is > rather odd that things have stopped working as the serial number ticks > over to 0100 from FF. Was hoping someone might have come across this > before ... > > Also, as a potential solution, is there a method for simply copying over > a demoCA from an old server to a new server? > > David Skeen > JDS Solutions > > On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote: >> > I have had a look around and it appears that the serial number >> > for the >> > last certificate created was FF (hex), indicating 256 >> > certificates have >> > so far been created. The next number in the serial file is 0100, >> > which >> > would seem the logical next number, however the certificate >> > signing >> > bails out on me. >> >> FF is not a legal certificate number. Certificate numbers must not be >> negative. (0xFF has the sign bit set and hence is negative.) >> >> DS >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]