Bug 151190 - System Adm. Guide: Serial numbers are not explained when creating self signed CRT
System Adm. Guide: Serial numbers are not explained when creating self signed...
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rhel-sag (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Ha
Michael Hideo
: Documentation
Depends On:
Blocks: 152485
  Show dependency treegraph
Reported: 2005-03-15 16:07 EST by Milan Kerslager
Modified: 2014-08-04 18:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-31 19:32:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milan Kerslager 2005-03-15 16:07:56 EST
When creating self-signed serificate (as a lot of people do), every
new (for the same server) must have a different serial number. If not,
Mozilla and Firefox refuses to display a page covered by a new
certificate with the same serial as other certificate stored in
Firefox/Mozilla already. The user must wipe out old certificate from
his WWW client by own hand first.

This should be written to RHEL docs as only a few people know about it
(if we count people who are reading SAG). The parameter is
'-set_serial num' which should be added to the line with 'openssl req

So please extend appropriate section.

I submited a bug #151188 with a patch for Makefile from openssl
package to easy pass serial number when using 'make testcert
SERIAL=num' as you wrote about in SAG.

The default behavior is to create a certificate with a serial 0 (zero)
and the patch does not change this when no SERIAL parameter is used.
Comment 1 Andrius Benokraitis 2005-03-17 12:09:11 EST
Bug will be accepted once root development bug is accepted, modified, and
available for a future Update. Even if this is a legitimate bug, not sure for
which Update Tomas can have it tested/fixed by, and I can't modify the docs
until the fix is upstream.

THANK YOU SO MUCH for including documentation in this matter!

Depending on the timeline for the fix, I can add a "Note" that states the issue
in the meantime...

waiting on Tomas... 
Comment 4 Don Domingo 2007-03-20 19:41:38 EDT
assigning this bug to jha@redhat.com for processing
Comment 5 Michael Hideo 2007-07-08 20:54:43 EDT
Please confirm that the line:

/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key 

Should read:
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key 
Comment 6 Michael Hideo 2007-10-22 22:51:57 EDT
Removing automation notification
Comment 7 Milan Kerslager 2008-04-04 10:22:17 EDT
Yes. I see no serial number explanation in the current RH's docs.

Note You need to log in before you can comment on or make changes to this bug.