So using the "-CAserial serial.srl" might be a good idea to avoid this.
Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas >>> <aerow...@gmail.com> 9/19/2010 1:53 PM >>> If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no "click 3 times to get access", it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS <andy.gok...@state.or.us> wrote: > Hello, > > Just curious if anyone knows, but what happens if I generate multiple server > certs (using my self generated signing CA using openssl) that have the same > assigned serial number? > > Does this create a conflict within the network and if users's end up > accessing both certs, kaboooom? > > Is it merely a method of basic tracking on how many certificates a CA signs? > > Thanks, > Andy Goktas > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
