It's important to note that NSS-based applications (such as Firefox) will actually categorically refuse to connect to a site with an Issuer/serial collision with another certificate it has seen before. So yes, it can cause some applications to fail their SSL connections. -Kyle H On Tue, Jan 16, 2018 at 1:26 AM, Wouter Verhelst <wouter.verhelst@xxxxxxxxxxxx> wrote: > On 14/01/2018 12:07, pratyush parimal wrote: >> Hi everyone, >> >> I read from several sources that the serial number of a cert MUST be >> unique within a CA. But could someone explain what would happen if the >> serial number was not unique? > > The certificate itself will continue to work (the signature will be > valid), but requesting status on the certificate (e.g., through OCSP or > by doing a lookup in a CRL) will not work as expected as those use the > serial number as an identifier. > >> Would it cause SSL connections to fail in some manner? > No, but if the peer wants to request information on the used certificate > from the CA to verify whether the certificate is still valid, it may end > up receiving information about the wrong certificate. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
