On Fri August 8 2008 05:10, Ger Hobbelt wrote: > It may not be the number itself, but the file indexing;
<quote="Goetz Babin-Ebell"> > There may be another option, called CA_dir (or something like that). > It contains every CA certificate in a separate file and optionally > all CRLs to use. > You run c_rehash on this directory to create special links OpenSSL > can use to find CA certificates and their CRLs... > > These links contain a 8 byte hash value and a extension > to differentiate between CA files and CRL files. > This 8 byte hash is not calculated on the file, > but on the subject DN. </quote> In another ml thread. Mike > Hm... I don't have the sources for 0.9.7 around, but when I quickly > look at the 0.9.9 code, it shouldn't do this (a2i_ASN1_INTEGER() is > used to convert the hex text in the file to a BigNum and to address > the sign mentioned before: AFAICS that routine requires an ASCII '-' > to identify negative values; it does not 'sign-extend' hex digits; > besides, if it ad, we'd already been in trouble when the serial went > from '7F' to '80') > > It may be that apps/ca.c + apps/apps.c in 0.9.7a is not (yet) using > this a2i_... function or that there's a typecast to char or some such > around (your problem smells a lot like that), so the only way out for > now that I can imagine is get an OpenSSL source tree from OpenSSL.org, > dump it in a temp directory for testing and build/compile it so you > get another apps/ca binary in there; it's not hard to do, so you > should be fine. Just read the instructions for configure and make and > you should be good to go. > > Then it will probably work out okay if you copy that demoCA directory > of yours over the openssl-testdir/apps/demoCA directory, then try > running the newly compiled ca binary to produce certificate with > serial '0100'. Should work out all right, though I must state that I > haven't used ca+demoCA enough to surpass the byte boundary you've run > into. > > So not a sure solution, but a probable direction towards solving this. > > HTH, > > > Ger > > PS: and yes, generally you can replace the demoCA directory across > OpenSSL versions of apps/ca, but always test to make sure when you > migrate (just a general 'test-before-release' note, nothing particular > to OpenSSL). Done it several times myself in my dev/test environments. > > > > > On Fri, Aug 8, 2008 at 6:26 AM, David Skeen <[EMAIL PROTECTED]> wrote: > > Thanks for response! > > > > Not sure what U are referring to about illegal cert number. > > > > Here is some more info: > > [EMAIL PROTECTED] demoCA]# ls > > cacert.pem crl index.txt.old pem serial > > certs index.txt newcerts private serial.old > > [EMAIL PROTECTED] demoCA]# cat serial > > 0100 > > [EMAIL PROTECTED] demoCA]# cat serial.old > > FF > > [EMAIL PROTECTED] demoCA]# ls newcerts > > 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem > > EB.pem > > 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem > > EC.pem > > 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem > > ED.pem > > 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem > > EE.pem > > 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem > > EF.pem > > 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem > > F0.pem > > 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem > > F1.pem > > 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem > > F2.pem > > 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem > > F3.pem > > 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem > > F4.pem > > 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem > > F5.pem > > 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem > > F6.pem > > 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem > > F7.pem > > 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem > > F8.pem > > 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem > > F9.pem > > 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem > > FA.pem > > 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem > > FB.pem > > 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem > > FC.pem > > 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem > > FD.pem > > 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem > > FE.pem > > 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem > > FF.pem > > 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem > > 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem > > 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem > > 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem > > 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem > > > > > > I am not fully comprehending the whole demoCA procedure, however it is > > rather odd that things have stopped working as the serial number ticks > > over to 0100 from FF. Was hoping someone might have come across this > > before ... > > > > Also, as a potential solution, is there a method for simply copying over > > a demoCA from an old server to a new server? > > > > David Skeen > > JDS Solutions > > > > On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote: > >> > I have had a look around and it appears that the serial number > >> > for the > >> > last certificate created was FF (hex), indicating 256 > >> > certificates have > >> > so far been created. The next number in the serial file is 0100, > >> > which > >> > would seem the logical next number, however the certificate > >> > signing > >> > bails out on me. > >> > >> FF is not a legal certificate number. Certificate numbers must not be > >> negative. (0xFF has the sign bit set and hence is negative.) > >> > >> DS > >> > >> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
