On Thu, 27 Mar 2003, Richard Levitte via RT wrote: > Something to note, however, is that the CA certificate usually has > serial number 0, at least when creating it with OpenSSL the way it's > usually described. Therefore, there may be problems verifying, since > the serial number 0 will be in two cerificates, and certificates are > sometimes accessed as issuer+serial (to get the exact certificate) > instead of subject. In the case where the CA cert and one of the issued > certs have the same serial number, issuer+serial will lead to both of > them, which in this case is an error. However, that's a user error > rather than an OpenSSL one, since CA certs can, technically have any > serial number, just as any other certificate...
It's not a user error, it's a "CA" error, since the serial numbers of all the certificates signed by a CA *must* be unique under this CA. This includes also the CA itself, when it's a self-signed CA. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- If you never try anything new, you'll miss out on many of life's great disappointments. Demotivators, 2002 calendar ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]