jehan procaccia a écrit :
I finally found it !
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/new_it_root_ca10.crt -verify 3
verify depth is 3
CONNECTED(00000003)
depth=3 /CN=Institut TELECOM Root class1 Certificate
Authority/O=Institut TELECOM/C=fr
verify return:1
depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
verify return:1
depth=1 /CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
verify return:1
depth=0 /C=fr/ST=Essonne/L=Evry/O=Telecom et Management
SudParis/OU=s2ia/CN=svnext.int-evry.fr
verify return:1
---
Certificate chain
0 s:/C=fr/ST=Essonne/L=Evry/O=Telecom et Management
SudParis/OU=s2ia/CN=svnext.int-evry.fr
i:/CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
1 s:/CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
i:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
2 s:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
3 s:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
Now everything seems ok with that new root CA:
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt
unfortunatly it's not completely finished :-(
now on clients where I removed the original root-ca and added the new
re-signed root CA ( new_it_root_ca10.crt),
I have a issuer/serial problem when accessing a server configured with
the "old" root CA.
For example going to https://www-cours.it-sudparis.eu/, server which is
configured with the original chain and itrootca CA root,
firefox complains about :
"sec_error_reused_issuer_and_serial"
the same with seamonkey client :
"Your certificate contains the same serial number as another
certificate issued by the certificate authority. Please get a new
certificate containing a unique serial number"
indeed my re-signed root-ca
(http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt)
does have the same serial values as the original itrootca.crt
$ openssl x509 -in /etc/pki/tls/certs/new_it_root_ca10.crt -text
...
Serial Number:
f9:bf:e3:44:a7:66:2a:a4
X509v3 Authority Key Identifier:
serial:F9:BF:E3:44:A7:66:2A:A4
...
indeed I supose that when I re-signed my root CA this way:
openssl x509 -signkey it_root_ca.key -set_serial 01 -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in it_root_ca.crt -out
new_it_root_ca10.crt
Then as long as I call the original
-in it_root_ca.crt
in the command above , I suspect it extract the serial from it, no
matter what I set with "-set_serial" openssl option, it does not set
anything new !.
then, here's my question, should I set a new serial in order to not
conflict with the original one, how can I set it ?
if I cannot set a new serial, then it means I should change all my
server ca-chain config in one shot the same day and all my clients
browsers "keystore" :-( ? or is there a soft and clean way to migrate
smoothly from the originalm root-ca and the new one ?
thanks .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org