Thanks for the quick response. I hadn't thought about CRL at this point actually.. I am just wading into this trying to get minimal functionality first.
In case anyone is wondering, I also found that if you make a database.attr file to go with database, you can add "unique_subject = no" for a workaround until implementing something more stable. -Derek On Thu, Oct 11, 2012 at 6:34 PM, Charles Mills <charl...@mcn.org> wrote: > I hit this EXACT problem.**** > > ** ** > > The **wrong* *ways to solve it are to keep deleting the database or > deleting records from the database.**** > > ** ** > > The right way to solve it is to revoke certificates that you want to > re-issue. I just happen to have a (Windows – sorry if you’re not Windows) > .BAT file to do just that, and as a side benefit, it maintains a CRL that > you can play with. (You do intend to support CRLs, right?)**** > > ** ** > > rem revoke a certificate and re-issue the CRL**** > > rem "unable to write 'random state'" seems to be normal**** > > rem pass the name of the PEM file to be revoked as the only argument**** > > ** ** > > openssl.exe ca -revoke %1 -config myConfig.cnf -keyfile myRoot.key.pem > -passin pass:the_password**** > > ** ** > > openssl.exe ca -gencrl -out myRevocations.crl -config myConfig.cnf > -keyfile myRoot.key.pem -passin pass:the_password**** > > ** ** > > pause Check status of certificate revocation and CRL generation (CRL > *success* outputs no messages)**** > > ** ** > > *Charles***** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Derek Cole > *Sent:* Thursday, October 11, 2012 3:14 PM > *To:* openssl-users@openssl.org > *Subject:* OpenSSL cert authority with no database**** > > ** ** > > Hello, > > Is there a way to sign certificates with your own CA, and NOT have to use > a database file to keep track of them? For development purposes, I end up > creating the same cert multiple times, and trying to sign it which will > cause me to get the "TXT_DB error number 2" > sometimes, which does not allow the signing of the cert to proceed. > > Thanks!**** >
