When creating self-signed serificate (as a lot of people do), every new (for the same server) must have a different serial number. If not, Mozilla and Firefox refuses to display a page covered by a new certificate with the same serial as other certificate stored in Firefox/Mozilla already. The user must wipe out old certificate from his WWW client by own hand first. This should be written to RHEL docs as only a few people know about it (if we count people who are reading SAG). The parameter is '-set_serial num' which should be added to the line with 'openssl req ...'. So please extend appropriate section. I submited a bug #151188 with a patch for Makefile from openssl package to easy pass serial number when using 'make testcert SERIAL=num' as you wrote about in SAG. The default behavior is to create a certificate with a serial 0 (zero) and the patch does not change this when no SERIAL parameter is used.
Bug will be accepted once root development bug is accepted, modified, and available for a future Update. Even if this is a legitimate bug, not sure for which Update Tomas can have it tested/fixed by, and I can't modify the docs until the fix is upstream. THANK YOU SO MUCH for including documentation in this matter! Depending on the timeline for the fix, I can add a "Note" that states the issue in the meantime... waiting on Tomas...
assigning this bug to jha for processing
Please confirm that the line: /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key Should read: /usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key
Removing automation notification
Yes. I see no serial number explanation in the current RH's docs.