I hit this EXACT problem.
The *wrong* ways to solve it are to keep deleting the database or deleting records from the database. The right way to solve it is to revoke certificates that you want to re-issue. I just happen to have a (Windows - sorry if you're not Windows) .BAT file to do just that, and as a side benefit, it maintains a CRL that you can play with. (You do intend to support CRLs, right?) rem revoke a certificate and re-issue the CRL rem "unable to write 'random state'" seems to be normal rem pass the name of the PEM file to be revoked as the only argument openssl.exe ca -revoke %1 -config myConfig.cnf -keyfile myRoot.key.pem -passin pass:the_password openssl.exe ca -gencrl -out myRevocations.crl -config myConfig.cnf -keyfile myRoot.key.pem -passin pass:the_password pause Check status of certificate revocation and CRL generation (CRL *success* outputs no messages) Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Derek Cole Sent: Thursday, October 11, 2012 3:14 PM To: openssl-users@openssl.org Subject: OpenSSL cert authority with no database Hello, Is there a way to sign certificates with your own CA, and NOT have to use a database file to keep track of them? For development purposes, I end up creating the same cert multiple times, and trying to sign it which will cause me to get the "TXT_DB error number 2" sometimes, which does not allow the signing of the cert to proceed. Thanks!
