On Thu, 27 Mar 2003, Richard Levitte via RT wrote:
> Something to note, however, is that the CA certificate usually has
> serial number 0, at least when creating it with OpenSSL the way it's
> usually described. Therefore, there may be problems verifying, since
> the serial number 0 will be in two cerificates, and certificates are
> sometimes accessed as issuer+serial (to get the exact certificate)
> instead of subject. In the case where the CA cert and one of the issued
> certs have the same serial number, issuer+serial will lead to both of
> them, which in this case is an error. However, that's a user error
> rather than an OpenSSL one, since CA certs can, technically have any
> serial number, just as any other certificate...
It's not a user error, it's a "CA" error, since the serial numbers of all
the certificates signed by a CA *must* be unique under this CA. This
includes also the CA itself, when it's a self-signed CA.
--
Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5
-----
If you never try anything new, you'll miss out on many of life's great
disappointments.
Demotivators, 2002 calendar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
