RE: Duplicate serial number
> From: owner-openssl-us...@openssl.org On Behalf Of Pascal Delaunay > Sent: Thursday, 23 September, 2010 12:00 > The "database" file (an option in your openssl.conf) handles that perfectly. If you use 'ca'; or as Patrick Patterson said, the scripts which do so. Not 'x509 -req [-CAserial file]'; that stores only the (last-used) number. > 2010/9/22 Andy GOKTAS > So using the "-CAserial serial.srl" might be a good idea to avoid this. > Now this leads me to the next question: > - Besides manually documenting a cross-reference for each certificate > that I sign to a serial number, is there any way to have this scripted > and for an appending log to the serial.srl file that's updated each time > it's used? In short, a list of cert name (=CN perhaps) and serial number > associated with it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
Hi, The "database" file (an option in your openssl.conf) handles that perfectly. Cheers Pascal 2010/9/22 Andy GOKTAS > So using the "-CAserial serial.srl" might be a good idea to avoid this. > > Now this leads me to the next question: > - Besides manually documenting a cross-reference for each certificate that > I sign to a serial number, is there any way to have this scripted and for an > appending log to the serial.srl file that's updated each time it's used? In > short, a list of cert name (=CN perhaps) and serial number associated with > it. > > ?? > > Thanks, > Andy Goktas > > >>> 9/19/2010 1:53 PM >>> > If you generate multiple certs with the same serial number, Firefox (and > anything built with NSS) will absolutely refuse to have anything to do with > those sites. There's no "click 3 times to get access", it's a simple > refusal to talk with a non-standards-compliant server. (Of course, this > puts the owner of the site in a lurch, because he doesn't run the CA in the > vast majority of circumstances.) > > Other TLS clients and browsers likely will do the same. I haven't checked > though. > > -Kyle H > > On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS > wrote: > > Hello, > > > > Just curious if anyone knows, but what happens if I generate multiple > server certs (using my self generated signing CA using openssl) that have > the same assigned serial number? > > > > Does this create a conflict within the network and if users's end up > accessing both certs, kabm? > > > > Is it merely a method of basic tracking on how many certificates a CA > signs? > > > > Thanks, > > Andy Goktas > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Duplicate serial number
Hi Andy: If you use the OpenSSL CA scripts as shipped and documented both in the OpenSSL document, the book, or numerous places on the web, they already use "index.txt" as a list of all issued certificates. So no extra work is needed. Have fun. Patrick. On 2010-09-22, at 4:52 PM, Andy GOKTAS wrote: > So using the "-CAserial serial.srl" might be a good idea to avoid this. > > Now this leads me to the next question: > - Besides manually documenting a cross-reference for each certificate that I > sign to a serial number, is there any way to have this scripted and for an > appending log to the serial.srl file that's updated each time it's used? In > short, a list of cert name (=CN perhaps) and serial number associated with > it. > > ?? > > Thanks, > Andy Goktas > 9/19/2010 1:53 PM >>> > If you generate multiple certs with the same serial number, Firefox (and > anything built with NSS) will absolutely refuse to have anything to do with > those sites. There's no "click 3 times to get access", it's a simple refusal > to talk with a non-standards-compliant server. (Of course, this puts the > owner of the site in a lurch, because he doesn't run the CA in the vast > majority of circumstances.) > > Other TLS clients and browsers likely will do the same. I haven't checked > though. > > -Kyle H > > On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS wrote: >> Hello, >> >> Just curious if anyone knows, but what happens if I generate multiple server >> certs (using my self generated signing CA using openssl) that have the same >> assigned serial number? >> >> Does this create a conflict within the network and if users's end up >> accessing both certs, kabm? >> >> Is it merely a method of basic tracking on how many certificates a CA signs? >> >> Thanks, >> Andy Goktas >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
So using the "-CAserial serial.srl" might be a good idea to avoid this. Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas >>> 9/19/2010 1:53 PM >>> If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no "click 3 times to get access", it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS wrote: > Hello, > > Just curious if anyone knows, but what happens if I generate multiple server > certs (using my self generated signing CA using openssl) that have the same > assigned serial number? > > Does this create a conflict within the network and if users's end up > accessing both certs, kabm? > > Is it merely a method of basic tracking on how many certificates a CA signs? > > Thanks, > Andy Goktas > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
Great! Thanks for that information Patrick. :) Thanks, Andy Goktas >>> Patrick Patterson 9/17/2010 6:11 AM >>> Hi Andy: Well, aside from violating most of the standards around PKI, the main problem you will have is revocation - the way you revoke a certificate is to put it's serial number on a CRL. So if you have multiple certs with the same serial number, if you ever need to revoke one of those certificates, you will end up revoking them all. The reason that the standards are written that way is that the principle is that the tuple of the Issuer Name and Serial Number is able to uniquely identify any given certificate, which is important for any number of very good, trust related reasons. Have fun! Patrick. On 2010-09-15, at 4:34 PM, Andy GOKTAS wrote: > Hello, > > Just curious if anyone knows, but what happens if I generate multiple server > certs (using my self generated signing CA using openssl) that have the same > assigned serial number? > > Does this create a conflict within the network and if users's end up > accessing both certs, kabm? > > Is it merely a method of basic tracking on how many certificates a CA signs? > > Thanks, > Andy Goktas > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
The serial number has to be unique for the issuer (CA). You can have multiple certificates with the same SubjectName, but the SerialNumber field has to be unique unless you're using a different issuer. Chris On Sun, Sep 19, 2010 at 10:53 PM, wrote: > If you generate multiple certs with the same serial number, Firefox (and > anything built with NSS) will absolutely refuse to have anything to do with > those sites. There's no "click 3 times to get access", it's a simple > refusal to talk with a non-standards-compliant server. (Of course, this > puts the owner of the site in a lurch, because he doesn't run the CA in the > vast majority of circumstances.) > > Other TLS clients and browsers likely will do the same. I haven't checked > though. > > -Kyle H > > On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS > wrote: >> >> Hello, >> >> Just curious if anyone knows, but what happens if I generate multiple >> server certs (using my self generated signing CA using openssl) that have >> the same assigned serial number? >> >> Does this create a conflict within the network and if users's end up >> accessing both certs, kabm? >> >> Is it merely a method of basic tracking on how many certificates a CA >> signs? >> >> Thanks, >> Andy Goktas >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no "click 3 times to get access", it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS wrote: Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Duplicate serial number
Hi Andy: Well, aside from violating most of the standards around PKI, the main problem you will have is revocation - the way you revoke a certificate is to put it's serial number on a CRL. So if you have multiple certs with the same serial number, if you ever need to revoke one of those certificates, you will end up revoking them all. The reason that the standards are written that way is that the principle is that the tuple of the Issuer Name and Serial Number is able to uniquely identify any given certificate, which is important for any number of very good, trust related reasons. Have fun! Patrick. On 2010-09-15, at 4:34 PM, Andy GOKTAS wrote: > Hello, > > Just curious if anyone knows, but what happens if I generate multiple server > certs (using my self generated signing CA using openssl) that have the same > assigned serial number? > > Does this create a conflict within the network and if users's end up > accessing both certs, kabm? > > Is it merely a method of basic tracking on how many certificates a CA signs? > > Thanks, > Andy Goktas > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Duplicate serial number
Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org