On Thu, 27 Mar 2003, Richard Levitte via RT wrote:

> Something to note, however, is that the CA certificate usually has
> serial number 0, at least when creating it with OpenSSL the way it's
> usually described.  Therefore, there may be problems verifying, since
> the serial number 0 will be in two cerificates, and certificates are
> sometimes accessed as issuer+serial (to get the exact certificate)
> instead of subject. In the case where the CA cert and one of the issued
> certs have the same serial number, issuer+serial will lead to both of
> them, which in this case is an error.  However, that's a user error
> rather than an OpenSSL one, since CA certs can, technically have any
> serial number, just as any other certificate...

It's not a user error, it's a "CA" error, since the serial numbers of all
the certificates signed by a CA *must* be unique under this CA. This
includes also the CA itself, when it's a self-signed CA.

-- 
Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5
-----
If you never try anything new, you'll miss out on many of life's great
disappointments.
                                      Demotivators, 2002 calendar
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to