Anders Rundgren wrote:
Any two certs with the same issuer must have different serial numbers. This is a basic X509 requirement, violating this will cause you interoperability problems. If you reissue your CA cert, it must have a new number. If you spin up another CA with the same issuer, it must have a unique serial number space from your previous.Both your root.cert and cacert.cert seem to have same serial number and issuer. That is forbidden.AFAIK each CA has its own serial number space. This should make it OK to reuse a serial number even within a CA hierachy. I would be an error if I let the root sign another CA and used serial = 1 for that one as well.
This is a common error when people build CA's out of developement tools.If your CA's have different issuers, then you are correct, the CA has complete control of the serial number space.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
