> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Monday, 01 October, 2012 10:12
> Is there specific documentation anywhere for TXT_DB errors? > AFAIK only $sourcetree/crypto/txt_db/txt_db.h Unlike most(?) other modules in openssl, txt_db does NOT use the ERR_ module with its error strings capability; bummer. > I'm not a total newbie at this but I am not an expert. I have > issued server > certificates before but now I am stuck on a TXT_DB error 2. > 2 is DB_ERROR_INDEX_CLASH . > serial.txt exists and contains 1C. index.txt exists and contains 17 > (decimal) lines. > Does any line in index.txt have col 3 (serial) 1C? All certs from a CA (at least under a given CA key+cert if you chain with AKI, as is generally best practice but optional in openssl) must have unique serials, and openssl 'ca' enforces this with an in-memory index on data in file (normally and a bit misleadingly) index.txt, in addition to using file serial which if not interfered with assigns sequential thus unique values. If serial(.txt?) started from 00 or 01, and only 'ca' updated it, and you didn't delete any lines from index.txt or replace that with a copy/version that is missing lines (like a backup), you should have 27 or 28 (respectively) lines in index.txt, for each serial value through hex 1B in sequence. The usual name for the serial file is just serial no .txt. I assume either this is a typo or you changed the config so that serial.txt is actually being used. If not, look at the file that is actually being used. > Unless I am confused the CN I am trying to issue for is > unique. A revoke for > the_cn_name.PEM fails. However some of the additional DNS in > the certificate > are not unique. Is that a problem? In other words, I am > trying to issue > foo.PEM for CN=foo. foo.PEM does not exist and O=foo does not > appear in > index.txt. But I am trying to issue the certificate with > DNS.2=bar. I may > already have outstanding unrevoked certificates with > DNS.2=bar. Is that a > problem? > You say revoke (I assume ca -revoke) the_cn_name.PEM 'fails' but then you say CN=foo and foo.PEM does not exist. -revoke uses existing cert file(s) to determine serial, and check subject. If the file doesn't exist this can't work. Was the error nonexistent file, or something else, and if so what? A cert's subject (or other) DN (Distinguished Name) can have multiple attributes; CN (Common Name) is the only one important for SSL or at least HTTPS server, and maybe all you are using. Specifically, do you mean a subject of /CN=foo or /O=foo ? Those are *different* DNs as far as X.509 is concerned, but the latter is not useful for an SSL server cert. Further, there is no requirement the subject DN be unique. You can quite reasonably have multiple certs for one subject, from the same CA (with different serials) or different CAs. It may sometimes be confusing and undesirable, and openssl 'ca' has an option to reject it (within one CA) but not by default. Did you configure that on? The *issuer* DN, i.e. the *CA* DN, should be unique, to allow openssl to verify, or auto-chain, a child cert. If you only created yourself one CA key+cert, it is necessarily unique. Assuming you mean DNS.2 *in subjectAltName aka SAN*, SAN values (also) don't need to be unique and aren't checked. I guess .2=bar and (.1)=subject=foo, another good practice not enforced by openssl? Aside: I'm pretty sure you don't need the .nnn i.e. .2 here, since openssl treats subjectAltName as one attribute containing multiple values, not multiple attributes that must be combined. > What should I be looking for that accounts for TXT_DB error 2 in this > situation? Is there authoritative documentation I should be reading? > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
