Hi, I found the following text at http://www.openssl.org/docs/apps/ca.html# :
unique_subject if the value yes is given, the valid certificate entries in the database must have unique subjects. if the value no is given, several valid certificate entries may have the exact same subject. The default value is yes, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value no, especially if combined with the -selfsign command line option. As I under it, this functionality is going into 0.9.8. What am I suppose to tell my customers in the meantime. Consider the following from my customer: Let's assume the following scenario. We create a server certificate and assign a lifetime of one year. Server certificates must have the server name in the CN field of the subject. The rest of the subject is filled with information about our company. Eleven months later, we realize, thate the server certificate will expire the next month. So we decide to create a new certificate. It seems logical to me, that we use the same subject (we have to use the same DN). With the openssl command line tool we are not able to create a new certificate, since it finds the subject string in the database and refuses the creation of the new certificate. I can not revoke the existing certificate, because then it looses it's validity and my server will not be trusted anymore. Thanks, Kevin. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]