[TriLUG] it's late.. ssl question

Greg Brown gregbrown at mindspring.com
Mon Oct 11 00:06:46 EDT 2004


Nope, still having the same issue with firefox even after building the
new cert with the -set_serial 01 option.  I'll try again in the morning,
it's just too late now.

But thanks very much for the pointer!

Greg

On Oct 10, 2004, at 10:55 PM, David A. Cafaro wrote:

> Ok found it, try the "-set_serial 01" option, that should do it.
>
> -David
>
> On Sun, 2004-10-10 at 22:51, David A. Cafaro wrote:
>> Your problem is that you previously had a certificate that you 
>> probably
>> generated that had serial number "00" for the first certificate.  When
>> you generated your new certificate, you generated it with the same
>> serial number of "00".  Now if any web browser has the old certificate
>> saved, it will fail because it's seeing a different certificate for 
>> the
>> same site with the same serial number.  You have to options to fix
>> this.  Delete the saved certificate on any browser that might have it
>> saved, or generate a new certificate with the serial incremented by
>> one.  I actual did this once before, but would have to go back through
>> my docs to remember how.  I don't think it was to difficult I think 
>> you
>> can set it via command line or in the openssl.cnf file.
>>
>>
>> On Sun, 2004-10-10 at 22:43, Greg Brown wrote:
>>> I must be looking over something very obvious.  I reinstalled my 
>>> server
>>> OS, CentOS in this case, and installed http via yum.  I also 
>>> installed
>>> openssl and created a key using the following command:
>>>
>>> openssl req -new -x509 -extensions v3_ca -keyout \
>>> private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
>>>
>>> I then installed mod_ssl from yum which perviously, after the first 
>>> two
>>> steps, would allow me to use https encryption.  For some reason I now
>>> get an error when I try to access my web server via https.  The error
>>> is:
>>>
>>> "You have received an invalid certificate. Please contact the server
>>> administrator or email correspondent and give them the following
>>> information:
>>>
>>> Your certificate contains the same serial number as another 
>>> certificate
>>> issued by the certificate authority. Please get a new certificate
>>> containing
>>> a unique serial number."
>>>
>>> I'm fairly tired so I think I'm missing something really basic.  All
>>> I'm doing is using a self-signed key.  The browser (safari, firefox)
>>> should use this certificate but warn the user that it's self-signed.
>>>
>>> Where am I going wrong?
>>>
>>> Greg
>> -- 
>> David A. Cafaro
>> dac(at)trilug.org
>> Admin to User: "You did what!?!?!"
> -- 
> David A. Cafaro
> dac(at)trilug.org
> Admin to User: "You did what!?!?!"
>
> -- 
> TriLUG mailing list        : 
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>




More information about the TriLUG mailing list