|
On 5/14/2019 09:48, Michael Wojcik
wrote:
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Karl Denninger Sent: Monday, May 13, 2019 16:32On 5/13/2019 16:44, Christopher R wrote:All I want is whatever remnants of that incorrect certificate removed, where ever they are, and a correct certificate created.Not sure what you have left, but probably in the certs directory.I can't think of what remnant of the old certificate would be there, except the certificate itself, in whatever the configuration file specifies for the new_certs_dir. And I've never seen that cause this problem. There's a directory (by default "newcerts" but can be changed in
the config file) that has a copy of the certs that OpenSSL
generates. If there's a collision in there (which could happen if
the serial number is reused) "bad things" could happen. I've not
looked at the code to see if that would cause a bomb-out but the
risk with playing in the database file, although it's just a flat
file, and/or the serial number index is that you can wind up with
conflicts. The "ca" function in openssl lacks the sort of robustness and "don't do that" sort of protections that one would expect in a "production" setting. That's not say it can't be used that way but quite a bit of care is required to do so successfully, and toying around in the database structure by hand is rather removed from that degree of care. |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
