On 26.04.2014 05:52, csa321 wrote:
We've generated our own CA for self-signing certificates.
the private key of the root CA should only exist on _ONE_ server; and as a backup on a external media;The issue is that we package up the openssl install for installation on multiple servers. Therefore, the root CA we create is part of the package as well.
The problem is that since the CA cert will have the same serial number across all servers,
copying doesn't change serial number
any certificates issued from that CA, on different servers, end up having the same serial number.
of course;
this is a design failure; the certificates MUST all be signed on only one server for this reason;This causes browser issues for obvious reasons.
or each server must have its own root/intermediate CA;
Is there any way to control the incrementing of the serial number from the root CA so that it is completely random,
No.
smime.p7s
Description: S/MIME Cryptographic Signature
