Red Hat Bugzilla – Bug 151190
System Adm. Guide: Serial numbers are not explained when creating self signed CRT
Last modified: 2014-08-04 18:15:18 EDT
When creating self-signed serificate (as a lot of people do), every
new (for the same server) must have a different serial number. If not,
Mozilla and Firefox refuses to display a page covered by a new
certificate with the same serial as other certificate stored in
Firefox/Mozilla already. The user must wipe out old certificate from
his WWW client by own hand first.
This should be written to RHEL docs as only a few people know about it
(if we count people who are reading SAG). The parameter is
'-set_serial num' which should be added to the line with 'openssl req
So please extend appropriate section.
I submited a bug #151188 with a patch for Makefile from openssl
package to easy pass serial number when using 'make testcert
SERIAL=num' as you wrote about in SAG.
The default behavior is to create a certificate with a serial 0 (zero)
and the patch does not change this when no SERIAL parameter is used.
Bug will be accepted once root development bug is accepted, modified, and
available for a future Update. Even if this is a legitimate bug, not sure for
which Update Tomas can have it tested/fixed by, and I can't modify the docs
until the fix is upstream.
THANK YOU SO MUCH for including documentation in this matter!
Depending on the timeline for the fix, I can add a "Note" that states the issue
in the meantime...
waiting on Tomas...
assigning this bug to firstname.lastname@example.org for processing
Please confirm that the line:
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key
Removing automation notification
Yes. I see no serial number explanation in the current RH's docs.