I hear you (whoever you are!). It's a playpen CA. I'm a software developer. These certificates will never be allowed out into the wild.
Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of lists Sent: Thursday, October 04, 2012 11:43 AM To: openssl-users@openssl.org Subject: Re: Documentation for TXT_DB errors? On 10/03/2012 05:49 AM, Dave Thompson wrote: >> I deleted index.txt and reset serial.txt to 00 and that >> solved the problem. >> >> Hope that was not a terrible idea. In my opinion, reusing serials is a *very bad* idea in general. It is definitely deprecated and maybe forbidden in some legal context (I work in Italy, no officially appointed CA would reuse serials here). Think about the existence of an OpenSSL function named X509_issuer_and_serial_hash. It exists exactly because serials are intended to be unique and combining them with the CA (the hash is for leveraging the output) makes easy to have a unique identifier for certificates in a system; I personally use it. Just to present another example, OCSP can be queried by a serial number (of the certified that is to be verified). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org