In message <[EMAIL PROTECTED]> on Thu, 27 Mar 2003 19:04:30 +0100 (CET), Erwann Abalea
<[EMAIL PROTECTED]> said:
erwann.abalea> On Thu, 27 Mar 2003, Richard Levitte via RT wrote:
erwann.abalea>
erwann.abalea> > Something to note, however, is that the CA
erwann.abalea> > certificate usually has serial number 0, at least
erwann.abalea> > when creating it with OpenSSL the way it's usually
erwann.abalea> > described. Therefore, there may be problems
erwann.abalea> > verifying, since the serial number 0 will be in two
erwann.abalea> > cerificates, and certificates are sometimes accessed
erwann.abalea> > as issuer+serial (to get the exact certificate)
erwann.abalea> > instead of subject. In the case where the CA cert and
erwann.abalea> > one of the issued certs have the same serial number,
erwann.abalea> > issuer+serial will lead to both of them, which in
erwann.abalea> > this case is an error. However, that's a user error
erwann.abalea> > rather than an OpenSSL one, since CA certs can,
erwann.abalea> > technically have any serial number, just as any other
erwann.abalea> > certificate...
erwann.abalea>
erwann.abalea> It's not a user error, it's a "CA" error, since the
erwann.abalea> serial numbers of all the certificates signed by a CA
erwann.abalea> *must* be unique under this CA. This includes also the
erwann.abalea> CA itself, when it's a self-signed CA.
I completely agree. However, when you say "CA", do you mean "openssl
ca" or a generic "CA" operation (which does include people). In the
latter case, it can be seen as an error made by people who should know
enough not to let such an error pass by.
In any case, we can probably debate for a long time who's to blame.
To remedy this, I've made changes in 0.9.8-dev to allow 'openssl ca'
to create self-signed certificates, and store them in the database
just like all other certificates. This allows CA certificates to be
stored alongside the others, and for the same serial number counter to
be used for those as well. I'm recommending the use of the
-'selfsign' flag to 'openssl ca' whenever a CA certificate, starting
with that version of OpenSSL (in the future). That should take care
of the above error.
Another change I've made is the addition of the configuration option
"unique_subject", which when set to "no" allows for several
certificate entries with the same subject to appear in teh database.
That should help things like certificate roll-over, together with
cross-signing using the -ss_sign flag.
Please, for those wanting to experiment with this, try the latest
snapshot of OpenSSL 0.9.8-dev (that's the file names in the snapshot
directory without any version number in them). You may run into
weirdnesses, as I haven't been able to test every aspect yet. Please
send reports if something goes wrong!
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
[EMAIL PROTECTED] \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
