In message <[EMAIL PROTECTED]> on Thu, 27 Mar 2003 19:04:30 +0100 (CET), Erwann Abalea <[EMAIL PROTECTED]> said:
erwann.abalea> On Thu, 27 Mar 2003, Richard Levitte via RT wrote: erwann.abalea> erwann.abalea> > Something to note, however, is that the CA erwann.abalea> > certificate usually has serial number 0, at least erwann.abalea> > when creating it with OpenSSL the way it's usually erwann.abalea> > described. Therefore, there may be problems erwann.abalea> > verifying, since the serial number 0 will be in two erwann.abalea> > cerificates, and certificates are sometimes accessed erwann.abalea> > as issuer+serial (to get the exact certificate) erwann.abalea> > instead of subject. In the case where the CA cert and erwann.abalea> > one of the issued certs have the same serial number, erwann.abalea> > issuer+serial will lead to both of them, which in erwann.abalea> > this case is an error. However, that's a user error erwann.abalea> > rather than an OpenSSL one, since CA certs can, erwann.abalea> > technically have any serial number, just as any other erwann.abalea> > certificate... erwann.abalea> erwann.abalea> It's not a user error, it's a "CA" error, since the erwann.abalea> serial numbers of all the certificates signed by a CA erwann.abalea> *must* be unique under this CA. This includes also the erwann.abalea> CA itself, when it's a self-signed CA. I completely agree. However, when you say "CA", do you mean "openssl ca" or a generic "CA" operation (which does include people). In the latter case, it can be seen as an error made by people who should know enough not to let such an error pass by. In any case, we can probably debate for a long time who's to blame. To remedy this, I've made changes in 0.9.8-dev to allow 'openssl ca' to create self-signed certificates, and store them in the database just like all other certificates. This allows CA certificates to be stored alongside the others, and for the same serial number counter to be used for those as well. I'm recommending the use of the -'selfsign' flag to 'openssl ca' whenever a CA certificate, starting with that version of OpenSSL (in the future). That should take care of the above error. Another change I've made is the addition of the configuration option "unique_subject", which when set to "no" allows for several certificate entries with the same subject to appear in teh database. That should help things like certificate roll-over, together with cross-signing using the -ss_sign flag. Please, for those wanting to experiment with this, try the latest snapshot of OpenSSL 0.9.8-dev (that's the file names in the snapshot directory without any version number in them). You may run into weirdnesses, as I haven't been able to test every aspect yet. Please send reports if something goes wrong! -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]