> > > 2) Serial-number and entry in index.txt for self-signed-certs
> > >
> > > I have realized that a root-cert that was generates via req -x509...
> > > always gets the serial-number "00". I think this could lead to some
> > > trouble if you want to renew the root-cert (for whatever reason) with
> > > the same subject name. So it would be good idea to use the value in
> > > the file "serial".
> >
> >
> > > And for consistency it should be possible to have the choice to include
> > > the corresponding values for the root-cert in "index.txt".
> >
> > As you don't issue a root cert using the -ca command I think this could
> > be confusing as we generally do not need to load config files and do not
> > have the need to configure dirs and so on (serial file, index.txt, etc.)
>
> I've looked and the code and have realized that it wasn't easy to do ...
> But what about the point reissuing a root-cert without any changes in the
> DN/email ?
I second this suggestion. I can't see why root certificates always have
to have a serial number of 00 and why neither index.txt nor serial are
being used by the applications in this case. Many CAs may want to choose
values different from 00 even for root certificates.
Cheers,
Stefan.
______________________________________________________________________________
Stefan Kelm PGP key: "finger [EMAIL PROTECTED]" or via key server
DFN-PCA <[EMAIL PROTECTED]>
Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
