Hi Andy: If you use the OpenSSL CA scripts as shipped and documented both in the OpenSSL document, the book, or numerous places on the web, they already use "index.txt" as a list of all issued certificates. So no extra work is needed.
Have fun. Patrick. On 2010-09-22, at 4:52 PM, Andy GOKTAS wrote: > So using the "-CAserial serial.srl" might be a good idea to avoid this. > > Now this leads me to the next question: > - Besides manually documenting a cross-reference for each certificate that I > sign to a serial number, is there any way to have this scripted and for an > appending log to the serial.srl file that's updated each time it's used? In > short, a list of cert name (=CN perhaps) and serial number associated with > it. > > ?? > > Thanks, > Andy Goktas > >>>> <aerow...@gmail.com> 9/19/2010 1:53 PM >>> > If you generate multiple certs with the same serial number, Firefox (and > anything built with NSS) will absolutely refuse to have anything to do with > those sites. There's no "click 3 times to get access", it's a simple refusal > to talk with a non-standards-compliant server. (Of course, this puts the > owner of the site in a lurch, because he doesn't run the CA in the vast > majority of circumstances.) > > Other TLS clients and browsers likely will do the same. I haven't checked > though. > > -Kyle H > > On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS <andy.gok...@state.or.us> wrote: >> Hello, >> >> Just curious if anyone knows, but what happens if I generate multiple server >> certs (using my self generated signing CA using openssl) that have the same >> assigned serial number? >> >> Does this create a conflict within the network and if users's end up >> accessing both certs, kaboooom? >> >> Is it merely a method of basic tracking on how many certificates a CA signs? >> >> Thanks, >> Andy Goktas >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
