How to change the Serial Number of an OpenSSL certificate? - Security

This is a discussion on How to change the Serial Number of an OpenSSL certificate? - Security ; The dovecot (IMAP server) software comes with the script plus config file included below. Due to Thunderbird's complaints about the duplicate serial number I have been trying to change it. One of my attempts was to add this line: SN=1 ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: How to change the Serial Number of an OpenSSL certificate?

  1. How to change the Serial Number of an OpenSSL certificate?


    The dovecot (IMAP server) software comes with the script plus config
    file included below. Due to Thunderbird's complaints about the
    duplicate serial number I have been trying to change it. One of my
    attempts was to add this line:

    SN=1

    It seemed to work, but when Thunderbird examines the certitficate, it
    still says: "Serial Number: 0".

    How can I update that serial number?

    TIA,

    -Ramon F Herrera

    --------------------------------------------------------------------
    dovecot-openssl.cnf file:
    --------------------------------------------------------------------
    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    prompt = no

    [ req_dn ]
    # country (2 letter code)
    #C=FI

    # State or Province Name (full name)
    #ST=

    # Locality Name (eg. city)
    #L=Helsinki

    # Organization (eg. company)
    #O=Dovecot

    # Organizational Unit Name (eg. section)
    OU=IMAP server

    # Common Name (*.example.com is also possible)
    CN=imap.example.com

    # E-mail contact
    emailAddress=postmaster@example.com

    [ cert_type ]
    nsCertType = server

    --------------------------------------------------------------------
    mkcert.sh file:
    --------------------------------------------------------------------
    #!/bin/sh

    # Generates a self-signed certificate.
    # Edit dovecot-openssl.cnf before running this.

    OPENSSL=${OPENSSL-openssl}
    SSLDIR=${SSLDIR-/etc/ssl}
    OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

    CERTDIR=$SSLDIR/certs
    KEYDIR=$SSLDIR/private

    CERTFILE=$CERTDIR/dovecot.pem
    KEYFILE=$KEYDIR/dovecot.pem

    if [ ! -d $CERTDIR ]; then
    echo "$SSLDIR/certs directory doesn't exist"
    exit 1
    fi

    if [ ! -d $KEYDIR ]; then
    echo "$SSLDIR/private directory doesn't exist"
    exit 1
    fi

    if [ -f $CERTFILE ]; then
    echo "$CERTFILE already exists, won't overwrite"
    exit 1
    fi

    if [ -f $KEYFILE ]; then
    echo "$KEYFILE already exists, won't overwrite"
    exit 1
    fi

    $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
    keyout $KEYFILE -days 365 || exit 2
    chmod 0600 $KEYFILE
    echo
    $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2


  2. Re: How to change the Serial Number of an OpenSSL certificate?

    On Jun 3, 4:29 pm, Ramon F Herrera wrote:
    > The dovecot (IMAP server) software comes with the script plus config
    > file included below. Due to Thunderbird's complaints about the
    > duplicate serial number I have been trying to change it. One of my
    > attempts was to add this line:
    >
    > SN=1
    >
    > It seemed to work, but when Thunderbird examines the certitficate, it
    > still says: "Serial Number: 0".
    >
    > How can I update that serial number?
    >
    > TIA,
    >
    > -Ramon F Herrera
    >
    > --------------------------------------------------------------------
    > dovecot-openssl.cnf file:
    > --------------------------------------------------------------------
    > [ req ]
    > default_bits = 1024
    > encrypt_key = yes
    > distinguished_name = req_dn
    > x509_extensions = cert_type
    > prompt = no
    >
    > [ req_dn ]
    > # country (2 letter code)
    > #C=FI
    >
    > # State or Province Name (full name)
    > #ST=
    >
    > # Locality Name (eg. city)
    > #L=Helsinki
    >
    > # Organization (eg. company)
    > #O=Dovecot
    >
    > # Organizational Unit Name (eg. section)
    > OU=IMAP server
    >
    > # Common Name (*.example.com is also possible)
    > CN=imap.example.com
    >
    > # E-mail contact
    > emailAddress=postmas...@example.com
    >
    > [ cert_type ]
    > nsCertType = server
    >
    > --------------------------------------------------------------------
    > mkcert.sh file:
    > --------------------------------------------------------------------
    > #!/bin/sh
    >
    > # Generates a self-signed certificate.
    > # Edit dovecot-openssl.cnf before running this.
    >
    > OPENSSL=${OPENSSL-openssl}
    > SSLDIR=${SSLDIR-/etc/ssl}
    > OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
    >
    > CERTDIR=$SSLDIR/certs
    > KEYDIR=$SSLDIR/private
    >
    > CERTFILE=$CERTDIR/dovecot.pem
    > KEYFILE=$KEYDIR/dovecot.pem
    >
    > if [ ! -d $CERTDIR ]; then
    > echo "$SSLDIR/certs directory doesn't exist"
    > exit 1
    > fi
    >
    > if [ ! -d $KEYDIR ]; then
    > echo "$SSLDIR/private directory doesn't exist"
    > exit 1
    > fi
    >
    > if [ -f $CERTFILE ]; then
    > echo "$CERTFILE already exists, won't overwrite"
    > exit 1
    > fi
    >
    > if [ -f $KEYFILE ]; then
    > echo "$KEYFILE already exists, won't overwrite"
    > exit 1
    > fi
    >
    > $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
    > keyout $KEYFILE -days 365 || exit 2
    > chmod 0600 $KEYFILE
    > echo
    > $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2



    I fixed this by going into Thunderbird's option menu and removing the
    old certificates.

    Still, I am curious: What's the deal with Serial Numbers?

    -Ramon



  3. Re: How to change the Serial Number of an OpenSSL certificate?

    Ramon F Herrera wrote:

    > Still, I am curious: What's the deal with Serial Numbers?


    Someone will certainly correct me on this if I'm mistaken, or omitting
    an importantr detail, but I believe the serial number is used by the CA
    at certificate-revocation time.

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  4. Re: How to change the Serial Number of an OpenSSL certificate?

    > How can I update that serial number?

    You can't change the serial number of a certificate after it was
    created. The serial number is part of the signed certificate.
    Inside a CA every certificate get its own unique serial number to
    identify the certificate (e.g. for revocation etc.).
    If you nedd to have a new serial number you have to revoke this
    certificate and gegenrate a new one by the CA.

    Ulf

  5. Re: How to specify the Serial Number of an OpenSSL certificate?

    On Jun 5, 4:00 am, Ulf Leichsenring wrote:
    > > How can I update that serial number?

    >
    > You can't change the serial number of a certificate
    > after it was created.


    I realize that. I am my own CA, using 'openssl' as explained in my OP.
    My question is: how can I specify to the system: "this certificate
    that you are making for me should have serial number 2"?

    My wild guess was to add this line:

    SN=2

    I also tried NS=2 (note the transposed letters), which predictably was
    rejected as an unknown variable, so we know that SN is a recognized
    variable. Hopefully it means "Serial Number".

    However, when the certificate is examined by Thunderbird, it always
    shows Serial Number = 0.

    -Ramon



  6. Re: How to specify the Serial Number of an OpenSSL certificate?

    Ramon F Herrera writes:
    >On Jun 5, 4:00 am, Ulf Leichsenring wrote:
    >> > How can I update that serial number?

    >>
    >> You can't change the serial number of a certificate
    >> after it was created.


    >I realize that. I am my own CA, using 'openssl' as explained in my OP.
    >My question is: how can I specify to the system: "this certificate
    >that you are making for me should have serial number 2"?


    The stock 'openssl' commandset looks for the file 'serial' (or
    whatever is pointed to by the environmental variable ENV_SERIAL)
    which has to look just right (ie. even ammount of hex digits to be
    able to turn them into bytes IIRC).

    If it doesn't find this file, it punts and creates the serial number of '00'.

    The CA.sh script has a -newca option that populates this file for you
    magicly at 01. But since it uses all relative files with no directory
    structure possible, you generally have to cd and run your CA.sh
    file in order to utilize it the way it was (barely) designed.

    I do wish there was a better PKI framework built around the OpenSSL
    libs. Its clear the command line openssl isn't going to cut it, as
    much as the OpenPKI and OpenCA projects are going to keep on trying.

+ Reply to Thread