Certificate creation stuck at 256 certificates - Openssl

This is a discussion on Certificate creation stuck at 256 certificates - Openssl ; Hey there, I have a server running Redhat 9 with openssl-0.9.7a-20.2 It has been happily running along creating certificates via webpage scripts for external access for clients. However, as of today it will not create certificates properly, giving an error ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Certificate creation stuck at 256 certificates

  1. Certificate creation stuck at 256 certificates

    Hey there,

    I have a server running Redhat 9 with openssl-0.9.7a-20.2

    It has been happily running along creating certificates via
    webpage
    scripts for external access for clients.

    However, as of today it will not create certificates properly,
    giving an
    error when trying to create the certificate. When trying to read
    the
    subsequent pem file, I get:
    unable to load certificate
    6364:error:0906D06C:PEM routines:PEM_read_bio:no start
    lineem_lib.c:632:Expecting: TRUSTED CERTIFICATE

    I have had a look around and it appears that the serial number
    for the
    last certificate created was FF (hex), indicating 256
    certificates have
    so far been created. The next number in the serial file is 0100,
    which
    would seem the logical next number, however the certificate
    signing
    bails out on me.

    Any ideas - I have been trying to get an updated version of
    openssl for
    RedHat9 without any luck so far ...

    David Skeen

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. RE: Certificate creation stuck at 256 certificates


    > I have had a look around and it appears that the serial number
    > for the
    > last certificate created was FF (hex), indicating 256
    > certificates have
    > so far been created. The next number in the serial file is 0100,
    > which
    > would seem the logical next number, however the certificate
    > signing
    > bails out on me.


    FF is not a legal certificate number. Certificate numbers must not be
    negative. (0xFF has the sign bit set and hence is negative.)

    DS


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. RE: Certificate creation stuck at 256 certificates

    Thanks for response!

    Not sure what U are referring to about illegal cert number.

    Here is some more info:
    [root@mail demoCA]# ls
    cacert.pem crl index.txt.old pem serial
    certs index.txt newcerts private serial.old
    [root@mail demoCA]# cat serial
    0100
    [root@mail demoCA]# cat serial.old
    FF
    [root@mail demoCA]# ls newcerts
    01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem
    EB.pem
    02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem
    EC.pem
    03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem
    ED.pem
    04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem
    EE.pem
    05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem
    EF.pem
    06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem
    F0.pem
    07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem
    F1.pem
    08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem
    F2.pem
    09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem
    F3.pem
    0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem
    F4.pem
    0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem
    F5.pem
    0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem
    F6.pem
    0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem
    F7.pem
    0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem
    F8.pem
    0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem
    F9.pem
    10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem
    FA.pem
    11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem
    FB.pem
    12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem
    FC.pem
    13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem
    FD.pem
    14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem
    FE.pem
    15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem
    FF.pem
    16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem
    17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem
    18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem
    19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem
    1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem


    I am not fully comprehending the whole demoCA procedure, however it is
    rather odd that things have stopped working as the serial number ticks
    over to 0100 from FF. Was hoping someone might have come across this
    before ...

    Also, as a potential solution, is there a method for simply copying over
    a demoCA from an old server to a new server?

    David Skeen
    JDS Solutions

    On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote:
    > > I have had a look around and it appears that the serial number
    > > for the
    > > last certificate created was FF (hex), indicating 256
    > > certificates have
    > > so far been created. The next number in the serial file is 0100,
    > > which
    > > would seem the logical next number, however the certificate
    > > signing
    > > bails out on me.

    >
    > FF is not a legal certificate number. Certificate numbers must not be
    > negative. (0xFF has the sign bit set and hence is negative.)
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: [openssl-users] RE: Certificate creation stuck at 256certificates

    Hodie VII Id. Aug. MMVIII est, David Schwartz scripsit:
    >
    > > I have had a look around and it appears that the serial number
    > > for the
    > > last certificate created was FF (hex), indicating 256
    > > certificates have
    > > so far been created. The next number in the serial file is 0100,
    > > which
    > > would seem the logical next number, however the certificate
    > > signing
    > > bails out on me.

    >
    > FF is not a legal certificate number. Certificate numbers must not be
    > negative. (0xFF has the sign bit set and hence is negative.)


    "Legally" (this term has nothing to do here) a serial number *can* be
    negative, if you're looking at the X.509 recommendation. That's surely
    not the reason of the problem. Only the RFC (starting with 3280)
    states that the serialNumber MUST be a positive integer.

    --
    Erwann ABALEA
    -----
    ``Do or do not. There is no try."
    Yoda
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: Certificate creation stuck at 256 certificates

    Hm... I don't have the sources for 0.9.7 around, but when I quickly
    look at the 0.9.9 code, it shouldn't do this (a2i_ASN1_INTEGER() is
    used to convert the hex text in the file to a BigNum and to address
    the sign mentioned before: AFAICS that routine requires an ASCII '-'
    to identify negative values; it does not 'sign-extend' hex digits;
    besides, if it ad, we'd already been in trouble when the serial went
    from '7F' to '80')

    It may be that apps/ca.c + apps/apps.c in 0.9.7a is not (yet) using
    this a2i_... function or that there's a typecast to char or some such
    around (your problem smells a lot like that), so the only way out for
    now that I can imagine is get an OpenSSL source tree from OpenSSL.org,
    dump it in a temp directory for testing and build/compile it so you
    get another apps/ca binary in there; it's not hard to do, so you
    should be fine. Just read the instructions for configure and make and
    you should be good to go.

    Then it will probably work out okay if you copy that demoCA directory
    of yours over the openssl-testdir/apps/demoCA directory, then try
    running the newly compiled ca binary to produce certificate with
    serial '0100'. Should work out all right, though I must state that I
    haven't used ca+demoCA enough to surpass the byte boundary you've run
    into.

    So not a sure solution, but a probable direction towards solving this.

    HTH,


    Ger

    PS: and yes, generally you can replace the demoCA directory across
    OpenSSL versions of apps/ca, but always test to make sure when you
    migrate (just a general 'test-before-release' note, nothing particular
    to OpenSSL). Done it several times myself in my dev/test environments.




    On Fri, Aug 8, 2008 at 6:26 AM, David Skeen wrote:
    > Thanks for response!
    >
    > Not sure what U are referring to about illegal cert number.
    >
    > Here is some more info:
    > [root@mail demoCA]# ls
    > cacert.pem crl index.txt.old pem serial
    > certs index.txt newcerts private serial.old
    > [root@mail demoCA]# cat serial
    > 0100
    > [root@mail demoCA]# cat serial.old
    > FF
    > [root@mail demoCA]# ls newcerts
    > 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem
    > EB.pem
    > 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem
    > EC.pem
    > 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem
    > ED.pem
    > 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem
    > EE.pem
    > 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem
    > EF.pem
    > 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem
    > F0.pem
    > 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem
    > F1.pem
    > 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem
    > F2.pem
    > 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem
    > F3.pem
    > 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem
    > F4.pem
    > 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem
    > F5.pem
    > 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem
    > F6.pem
    > 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem
    > F7.pem
    > 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem
    > F8.pem
    > 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem
    > F9.pem
    > 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem
    > FA.pem
    > 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem
    > FB.pem
    > 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem
    > FC.pem
    > 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem
    > FD.pem
    > 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem
    > FE.pem
    > 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem
    > FF.pem
    > 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem
    > 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem
    > 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem
    > 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem
    > 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem
    >
    >
    > I am not fully comprehending the whole demoCA procedure, however it is
    > rather odd that things have stopped working as the serial number ticks
    > over to 0100 from FF. Was hoping someone might have come across this
    > before ...
    >
    > Also, as a potential solution, is there a method for simply copying over
    > a demoCA from an old server to a new server?
    >
    > David Skeen
    > JDS Solutions
    >
    > On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote:
    >> > I have had a look around and it appears that the serial number
    >> > for the
    >> > last certificate created was FF (hex), indicating 256
    >> > certificates have
    >> > so far been created. The next number in the serial file is 0100,
    >> > which
    >> > would seem the logical next number, however the certificate
    >> > signing
    >> > bails out on me.

    >>
    >> FF is not a legal certificate number. Certificate numbers must not be
    >> negative. (0xFF has the sign bit set and hence is negative.)
    >>
    >> DS
    >>
    >>
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org

    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >




    --
    Met vriendelijke groeten / Best regards,

    Ger Hobbelt

    --------------------------------------------------
    web: http://www.hobbelt.com/
    http://www.hebbut.net/
    mail: ger@hobbelt.com
    mobile: +31-6-11 120 978
    --------------------------------------------------
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  6. Re: Certificate creation stuck at 256 certificates

    On Fri August 8 2008 05:10, Ger Hobbelt wrote:
    >


    It may not be the number itself, but the file indexing;


    > There may be another option, called CA_dir (or something like that).
    > It contains every CA certificate in a separate file and optionally
    > all CRLs to use.
    > You run c_rehash on this directory to create special links OpenSSL
    > can use to find CA certificates and their CRLs...
    >
    > These links contain a 8 byte hash value and a extension
    > to differentiate between CA files and CRL files.
    > This 8 byte hash is not calculated on the file,
    > but on the subject DN.



    In another ml thread.

    Mike
    > Hm... I don't have the sources for 0.9.7 around, but when I quickly
    > look at the 0.9.9 code, it shouldn't do this (a2i_ASN1_INTEGER() is
    > used to convert the hex text in the file to a BigNum and to address
    > the sign mentioned before: AFAICS that routine requires an ASCII '-'
    > to identify negative values; it does not 'sign-extend' hex digits;
    > besides, if it ad, we'd already been in trouble when the serial went
    > from '7F' to '80')
    >
    > It may be that apps/ca.c + apps/apps.c in 0.9.7a is not (yet) using
    > this a2i_... function or that there's a typecast to char or some such
    > around (your problem smells a lot like that), so the only way out for
    > now that I can imagine is get an OpenSSL source tree from OpenSSL.org,
    > dump it in a temp directory for testing and build/compile it so you
    > get another apps/ca binary in there; it's not hard to do, so you
    > should be fine. Just read the instructions for configure and make and
    > you should be good to go.
    >
    > Then it will probably work out okay if you copy that demoCA directory
    > of yours over the openssl-testdir/apps/demoCA directory, then try
    > running the newly compiled ca binary to produce certificate with
    > serial '0100'. Should work out all right, though I must state that I
    > haven't used ca+demoCA enough to surpass the byte boundary you've run
    > into.
    >
    > So not a sure solution, but a probable direction towards solving this.
    >
    > HTH,
    >
    >
    > Ger
    >
    > PS: and yes, generally you can replace the demoCA directory across
    > OpenSSL versions of apps/ca, but always test to make sure when you
    > migrate (just a general 'test-before-release' note, nothing particular
    > to OpenSSL). Done it several times myself in my dev/test environments.
    >
    >
    >
    >
    > On Fri, Aug 8, 2008 at 6:26 AM, David Skeen wrote:
    > > Thanks for response!
    > >
    > > Not sure what U are referring to about illegal cert number.
    > >
    > > Here is some more info:
    > > [root@mail demoCA]# ls
    > > cacert.pem crl index.txt.old pem serial
    > > certs index.txt newcerts private serial.old
    > > [root@mail demoCA]# cat serial
    > > 0100
    > > [root@mail demoCA]# cat serial.old
    > > FF
    > > [root@mail demoCA]# ls newcerts
    > > 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem
    > > EB.pem
    > > 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem
    > > EC.pem
    > > 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem
    > > ED.pem
    > > 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem
    > > EE.pem
    > > 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem
    > > EF.pem
    > > 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem
    > > F0.pem
    > > 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem
    > > F1.pem
    > > 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem
    > > F2.pem
    > > 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem
    > > F3.pem
    > > 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem
    > > F4.pem
    > > 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem
    > > F5.pem
    > > 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem
    > > F6.pem
    > > 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem
    > > F7.pem
    > > 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem
    > > F8.pem
    > > 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem
    > > F9.pem
    > > 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem
    > > FA.pem
    > > 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem
    > > FB.pem
    > > 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem
    > > FC.pem
    > > 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem
    > > FD.pem
    > > 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem
    > > FE.pem
    > > 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem
    > > FF.pem
    > > 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem
    > > 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem
    > > 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem
    > > 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem
    > > 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem
    > >
    > >
    > > I am not fully comprehending the whole demoCA procedure, however it is
    > > rather odd that things have stopped working as the serial number ticks
    > > over to 0100 from FF. Was hoping someone might have come across this
    > > before ...
    > >
    > > Also, as a potential solution, is there a method for simply copying over
    > > a demoCA from an old server to a new server?
    > >
    > > David Skeen
    > > JDS Solutions
    > >
    > > On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote:
    > >> > I have had a look around and it appears that the serial number
    > >> > for the
    > >> > last certificate created was FF (hex), indicating 256
    > >> > certificates have
    > >> > so far been created. The next number in the serial file is 0100,
    > >> > which
    > >> > would seem the logical next number, however the certificate
    > >> > signing
    > >> > bails out on me.
    > >>
    > >> FF is not a legal certificate number. Certificate numbers must not be
    > >> negative. (0xFF has the sign bit set and hence is negative.)
    > >>
    > >> DS
    > >>
    > >>
    > >> __________________________________________________ ____________________
    > >> OpenSSL Project http://www.openssl.org
    > >> User Support Mailing List openssl-users@openssl.org
    > >> Automated List Manager majordomo@openssl.org

    > >
    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org
    > >
    > >

    >
    >
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  7. Re: Certificate creation stuck at 256 certificates

    Cheers!

    Thanks for the info, I managed to fix the problem by upgrading via the
    source code to openssl-0.9.7d.

    David

    On Fri, 2008-08-08 at 08:30 -0500, Michael S. Zick wrote:
    > On Fri August 8 2008 05:10, Ger Hobbelt wrote:
    > >

    >
    > It may not be the number itself, but the file indexing;
    >
    >
    > > There may be another option, called CA_dir (or something like that).
    > > It contains every CA certificate in a separate file and optionally
    > > all CRLs to use.
    > > You run c_rehash on this directory to create special links OpenSSL
    > > can use to find CA certificates and their CRLs...
    > >
    > > These links contain a 8 byte hash value and a extension
    > > to differentiate between CA files and CRL files.
    > > This 8 byte hash is not calculated on the file,
    > > but on the subject DN.

    >
    >
    > In another ml thread.
    >
    > Mike
    > > Hm... I don't have the sources for 0.9.7 around, but when I quickly
    > > look at the 0.9.9 code, it shouldn't do this (a2i_ASN1_INTEGER() is
    > > used to convert the hex text in the file to a BigNum and to address
    > > the sign mentioned before: AFAICS that routine requires an ASCII '-'
    > > to identify negative values; it does not 'sign-extend' hex digits;
    > > besides, if it ad, we'd already been in trouble when the serial went
    > > from '7F' to '80')
    > >
    > > It may be that apps/ca.c + apps/apps.c in 0.9.7a is not (yet) using
    > > this a2i_... function or that there's a typecast to char or some such
    > > around (your problem smells a lot like that), so the only way out for
    > > now that I can imagine is get an OpenSSL source tree from OpenSSL.org,
    > > dump it in a temp directory for testing and build/compile it so you
    > > get another apps/ca binary in there; it's not hard to do, so you
    > > should be fine. Just read the instructions for configure and make and
    > > you should be good to go.
    > >
    > > Then it will probably work out okay if you copy that demoCA directory
    > > of yours over the openssl-testdir/apps/demoCA directory, then try
    > > running the newly compiled ca binary to produce certificate with
    > > serial '0100'. Should work out all right, though I must state that I
    > > haven't used ca+demoCA enough to surpass the byte boundary you've run
    > > into.
    > >
    > > So not a sure solution, but a probable direction towards solving this.
    > >
    > > HTH,
    > >
    > >
    > > Ger
    > >
    > > PS: and yes, generally you can replace the demoCA directory across
    > > OpenSSL versions of apps/ca, but always test to make sure when you
    > > migrate (just a general 'test-before-release' note, nothing particular
    > > to OpenSSL). Done it several times myself in my dev/test environments.
    > >
    > >
    > >
    > >
    > > On Fri, Aug 8, 2008 at 6:26 AM, David Skeen wrote:
    > > > Thanks for response!
    > > >
    > > > Not sure what U are referring to about illegal cert number.
    > > >
    > > > Here is some more info:
    > > > [root@mail demoCA]# ls
    > > > cacert.pem crl index.txt.old pem serial
    > > > certs index.txt newcerts private serial.old
    > > > [root@mail demoCA]# cat serial
    > > > 0100
    > > > [root@mail demoCA]# cat serial.old
    > > > FF
    > > > [root@mail demoCA]# ls newcerts
    > > > 01.pem 1B.pem 35.pem 4F.pem 69.pem 83.pem 9D.pem B7.pem D1.pem
    > > > EB.pem
    > > > 02.pem 1C.pem 36.pem 50.pem 6A.pem 84.pem 9E.pem B8.pem D2.pem
    > > > EC.pem
    > > > 03.pem 1D.pem 37.pem 51.pem 6B.pem 85.pem 9F.pem B9.pem D3.pem
    > > > ED.pem
    > > > 04.pem 1E.pem 38.pem 52.pem 6C.pem 86.pem A0.pem BA.pem D4.pem
    > > > EE.pem
    > > > 05.pem 1F.pem 39.pem 53.pem 6D.pem 87.pem A1.pem BB.pem D5.pem
    > > > EF.pem
    > > > 06.pem 20.pem 3A.pem 54.pem 6E.pem 88.pem A2.pem BC.pem D6.pem
    > > > F0.pem
    > > > 07.pem 21.pem 3B.pem 55.pem 6F.pem 89.pem A3.pem BD.pem D7.pem
    > > > F1.pem
    > > > 08.pem 22.pem 3C.pem 56.pem 70.pem 8A.pem A4.pem BE.pem D8.pem
    > > > F2.pem
    > > > 09.pem 23.pem 3D.pem 57.pem 71.pem 8B.pem A5.pem BF.pem D9.pem
    > > > F3.pem
    > > > 0A.pem 24.pem 3E.pem 58.pem 72.pem 8C.pem A6.pem C0.pem DA.pem
    > > > F4.pem
    > > > 0B.pem 25.pem 3F.pem 59.pem 73.pem 8D.pem A7.pem C1.pem DB.pem
    > > > F5.pem
    > > > 0C.pem 26.pem 40.pem 5A.pem 74.pem 8E.pem A8.pem C2.pem DC.pem
    > > > F6.pem
    > > > 0D.pem 27.pem 41.pem 5B.pem 75.pem 8F.pem A9.pem C3.pem DD.pem
    > > > F7.pem
    > > > 0E.pem 28.pem 42.pem 5C.pem 76.pem 90.pem AA.pem C4.pem DE.pem
    > > > F8.pem
    > > > 0F.pem 29.pem 43.pem 5D.pem 77.pem 91.pem AB.pem C5.pem DF.pem
    > > > F9.pem
    > > > 10.pem 2A.pem 44.pem 5E.pem 78.pem 92.pem AC.pem C6.pem E0.pem
    > > > FA.pem
    > > > 11.pem 2B.pem 45.pem 5F.pem 79.pem 93.pem AD.pem C7.pem E1.pem
    > > > FB.pem
    > > > 12.pem 2C.pem 46.pem 60.pem 7A.pem 94.pem AE.pem C8.pem E2.pem
    > > > FC.pem
    > > > 13.pem 2D.pem 47.pem 61.pem 7B.pem 95.pem AF.pem C9.pem E3.pem
    > > > FD.pem
    > > > 14.pem 2E.pem 48.pem 62.pem 7C.pem 96.pem B0.pem CA.pem E4.pem
    > > > FE.pem
    > > > 15.pem 2F.pem 49.pem 63.pem 7D.pem 97.pem B1.pem CB.pem E5.pem
    > > > FF.pem
    > > > 16.pem 30.pem 4A.pem 64.pem 7E.pem 98.pem B2.pem CC.pem E6.pem
    > > > 17.pem 31.pem 4B.pem 65.pem 7F.pem 99.pem B3.pem CD.pem E7.pem
    > > > 18.pem 32.pem 4C.pem 66.pem 80.pem 9A.pem B4.pem CE.pem E8.pem
    > > > 19.pem 33.pem 4D.pem 67.pem 81.pem 9B.pem B5.pem CF.pem E9.pem
    > > > 1A.pem 34.pem 4E.pem 68.pem 82.pem 9C.pem B6.pem D0.pem EA.pem
    > > >
    > > >
    > > > I am not fully comprehending the whole demoCA procedure, however it is
    > > > rather odd that things have stopped working as the serial number ticks
    > > > over to 0100 from FF. Was hoping someone might have come across this
    > > > before ...
    > > >
    > > > Also, as a potential solution, is there a method for simply copying over
    > > > a demoCA from an old server to a new server?
    > > >
    > > > David Skeen
    > > > JDS Solutions
    > > >
    > > > On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote:
    > > >> > I have had a look around and it appears that the serial number
    > > >> > for the
    > > >> > last certificate created was FF (hex), indicating 256
    > > >> > certificates have
    > > >> > so far been created. The next number in the serial file is 0100,
    > > >> > which
    > > >> > would seem the logical next number, however the certificate
    > > >> > signing
    > > >> > bails out on me.
    > > >>
    > > >> FF is not a legal certificate number. Certificate numbers must not be
    > > >> negative. (0xFF has the sign bit set and hence is negative.)
    > > >>
    > > >> DS
    > > >>
    > > >>
    > > >> __________________________________________________ ____________________
    > > >> OpenSSL Project http://www.openssl.org
    > > >> User Support Mailing List openssl-users@openssl.org
    > > >> Automated List Manager majordomo@openssl.org
    > > >
    > > > __________________________________________________ ____________________
    > > > OpenSSL Project http://www.openssl.org
    > > > User Support Mailing List openssl-users@openssl.org
    > > > Automated List Manager majordomo@openssl.org
    > > >
    > > >

    > >
    > >
    > >

    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread