Hi,
I found the following text at http://www.openssl.org/docs/apps/ca.html# :
unique_subject
if the value yes is given, the valid certificate entries in the database must
have unique subjects. if the value no is given, several valid certificate entries may
have the exact same subject. The default value is yes, to be compatible with older
(pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier,
it's recommended to use the value no, especially if combined with the -selfsign
command line option.
As I under it, this functionality is going into 0.9.8. What am I suppose
to tell my customers in the meantime. Consider the following from my customer:
Let's assume the following scenario. We create a server certificate and assign a
lifetime of one year. Server certificates must have the server name in the CN field of
the subject. The rest of the subject is filled with information about our company.
Eleven months later, we realize, thate the server certificate will expire the next
month. So we decide to create a new certificate. It seems logical to me, that we use
the same subject (we have to use the same DN). With the openssl command line tool we
are not able to create a new certificate, since it finds the subject string in the
database and refuses the creation of the new certificate. I can not revoke the
existing certificate, because then it looses it's validity and my server will not be
trusted anymore.
Thanks,
Kevin.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
