The combination of (issuer,serial#) is the only way to get a unique identifier for a certificate. Lots of software depends on certs being uniquely identifiable. What happens if that assertion is not true? Some things will break. What? Well, it depends on the software, and which certs are “duplicates” and so on. There’s no way to know, really. Just don’t do it. For example, if cert-A has a keypair and cert-B has a keypair, then site-B could send a TLS chain with cert-A and while it would look correct, the connection would fail. This is silly if B is doing it, but it is a DoS attack if a man in the middle does it. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users