Bug 151190

Summary: System Adm. Guide: Serial numbers are not explained when creating self signed CRT
Product: Red Hat Enterprise Linux 4 Reporter: Milan Kerslager <milan.kerslager>
Component: rhel-sagAssignee: John Ha <jha>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Hideo <mhideo>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: adstrong, ddomingo, tmraz
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-31 23:32:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152485    

Description Milan Kerslager 2005-03-15 21:07:56 UTC 
When creating self-signed serificate (as a lot of people do), every
new (for the same server) must have a different serial number. If not,
Mozilla and Firefox refuses to display a page covered by a new
certificate with the same serial as other certificate stored in
Firefox/Mozilla already. The user must wipe out old certificate from
his WWW client by own hand first.

This should be written to RHEL docs as only a few people know about it
(if we count people who are reading SAG). The parameter is
'-set_serial num' which should be added to the line with 'openssl req
...'.

So please extend appropriate section.

I submited a bug #151188 with a patch for Makefile from openssl
package to easy pass serial number when using 'make testcert
SERIAL=num' as you wrote about in SAG.

The default behavior is to create a certificate with a serial 0 (zero)
and the patch does not change this when no SERIAL parameter is used.
Comment 1 Andrius Benokraitis 2005-03-17 17:09:11 UTC 
Bug will be accepted once root development bug is accepted, modified, and
available for a future Update. Even if this is a legitimate bug, not sure for
which Update Tomas can have it tested/fixed by, and I can't modify the docs
until the fix is upstream.

THANK YOU SO MUCH for including documentation in this matter!

Depending on the timeline for the fix, I can add a "Note" that states the issue
in the meantime...

waiting on Tomas...
Comment 4 Don Domingo 2007-03-20 23:41:38 UTC 
assigning this bug to jha for processing
Comment 5 Michael Hideo 2007-07-09 00:54:43 UTC 
Please confirm that the line:

/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key 

Should read:
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key
Comment 6 Michael Hideo 2007-10-23 02:51:57 UTC 
Removing automation notification
Comment 7 Milan Kerslager 2008-04-04 14:22:17 UTC 
Yes. I see no serial number explanation in the current RH's docs.