Never, ever, ever, ever, ever under any circumstances issue the same serial number twice. You tried to issue the same serial to both roots -- badbadbadbadbadDONOT.
-Kyle H On Tue, Sep 1, 2009 at 8:56 AM, jehan procaccia<jehan.procac...@it-sudparis.eu> wrote: > jehan procaccia a écrit : >> >> I finally found it ! >> >> [proca...@anaconda ~] >> $ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile >> /etc/pki/tls/certs/new_it_root_ca10.crt -verify 3 >> verify depth is 3 >> CONNECTED(00000003) >> depth=3 /CN=Institut TELECOM Root class1 Certificate Authority/O=Institut >> TELECOM/C=fr >> verify return:1 >> depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut >> TELECOM/O=Institut TELECOM/C=fr >> verify return:1 >> depth=1 /CN=TELECOM & Management SudParis class3 Certificate >> Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management >> SudParis/C=fr >> verify return:1 >> depth=0 /C=fr/ST=Essonne/L=Evry/O=Telecom et Management >> SudParis/OU=s2ia/CN=svnext.int-evry.fr >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=fr/ST=Essonne/L=Evry/O=Telecom et Management >> SudParis/OU=s2ia/CN=svnext.int-evry.fr >> i:/CN=TELECOM & Management SudParis class3 Certificate >> Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management >> SudParis/C=fr >> 1 s:/CN=TELECOM & Management SudParis class3 Certificate >> Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management >> SudParis/C=fr >> i:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut >> TELECOM/O=Institut TELECOM/C=fr >> 2 s:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut >> TELECOM/O=Institut TELECOM/C=fr >> i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut >> TELECOM/C=fr >> 3 s:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut >> TELECOM/C=fr >> i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut >> TELECOM/C=fr >> >> Now everything seems ok with that new root CA: >> http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt >> > unfortunatly it's not completely finished :-( > now on clients where I removed the original root-ca and added the new > re-signed root CA ( new_it_root_ca10.crt), > I have a issuer/serial problem when accessing a server configured with the > "old" root CA. > > For example going to https://www-cours.it-sudparis.eu/, server which is > configured with the original chain and itrootca CA root, > firefox complains about : > "sec_error_reused_issuer_and_serial" > the same with seamonkey client : > "Your certificate contains the same serial number as another certificate > issued by the certificate authority. Please get a new certificate containing > a unique serial number" > indeed my re-signed root-ca > (http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt) does > have the same serial values as the original itrootca.crt > > $ openssl x509 -in /etc/pki/tls/certs/new_it_root_ca10.crt -text > ... > Serial Number: > f9:bf:e3:44:a7:66:2a:a4 > X509v3 Authority Key Identifier: > serial:F9:BF:E3:44:A7:66:2A:A4 > ... > indeed I supose that when I re-signed my root CA this way: > > openssl x509 -signkey it_root_ca.key -set_serial 01 -clrext -extfile > opensslIT.cnf -extensions v3_ca -days 5475 -in it_root_ca.crt -out > new_it_root_ca10.crt > > > Then as long as I call the original > -in it_root_ca.crt > > in the command above , I suspect it extract the serial from it, no matter > what I set with "-set_serial" openssl option, it does not set anything new > !. > > then, here's my question, should I set a new serial in order to not conflict > with the original one, how can I set it ? > if I cannot set a new serial, then it means I should change all my server > ca-chain config in one shot the same day and all my clients browsers > "keystore" :-( ? or is there a soft and clean way to migrate smoothly from > the originalm root-ca and the new one ? > > thanks . > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org