On 10/03/2012 05:49 AM, Dave Thompson wrote: >> I deleted index.txt and reset serial.txt to 00 and that >> solved the problem. >> >> Hope that was not a terrible idea.
In my opinion, reusing serials is a *very bad* idea in general. It is definitely deprecated and maybe forbidden in some legal context (I work in Italy, no officially appointed CA would reuse serials here). Think about the existence of an OpenSSL function named X509_issuer_and_serial_hash. It exists exactly because serials are intended to be unique and combining them with the CA (the hash is for leveraging the output) makes easy to have a unique identifier for certificates in a system; I personally use it. Just to present another example, OCSP can be queried by a serial number (of the certified that is to be verified). (sorry I'm not keeping the whole message. My MX is a blacklist and I'm forced to use an awkward webmail interface...) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
