<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 5/14/2019 09:48, Michael Wojcik
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BYAPR18MB2918504E38E2CCDF25110087F9080@BYAPR18MB2918.namprd18.prod.outlook.com">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">From: openssl-users [<a class="moz-txt-link-freetext" href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a>] On Behalf Of Karl Denninger
Sent: Monday, May 13, 2019 16:32
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 5/13/2019 16:44, Christopher R wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">All I want is whatever remnants of that incorrect certificate removed,
where ever they are, and a correct certificate created.
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Not sure what you have left, but probably in the certs directory.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I can't think of what remnant of the old certificate would be there, except the certificate itself, in whatever the configuration file specifies for the new_certs_dir. And I've never seen that cause this problem.
</pre>
</blockquote>
<p>There's a directory (by default "newcerts" but can be changed in
the config file) that has a copy of the certs that OpenSSL
generates. If there's a collision in there (which could happen if
the serial number is reused) "bad things" could happen. I've not
looked at the code to see if that would cause a bomb-out but the
risk with playing in the database file, although it's just a flat
file, and/or the serial number index is that you can wind up with
conflicts.<br>
</p>
<p>The "ca" function in openssl lacks the sort of robustness and
"don't do that" sort of protections that one would expect in a
"production" setting. That's not say it can't be used that way
but quite a bit of care is required to do so successfully, and
toying around in the database structure by hand is rather removed
from that degree of care.
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>