Crashes when generating certificate
Karl Denninger
karl at denninger.net
Tue May 14 15:22:23 UTC 2019
On 5/14/2019 09:48, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Karl Denninger
>> Sent: Monday, May 13, 2019 16:32
>> On 5/13/2019 16:44, Christopher R wrote:
>>> All I want is whatever remnants of that incorrect certificate removed,
>>> where ever they are, and a correct certificate created.
>> Not sure what you have left, but probably in the certs directory.
> I can't think of what remnant of the old certificate would be there, except the certificate itself, in whatever the configuration file specifies for the new_certs_dir. And I've never seen that cause this problem.
There's a directory (by default "newcerts" but can be changed in the
config file) that has a copy of the certs that OpenSSL generates. If
there's a collision in there (which could happen if the serial number is
reused) "bad things" could happen. I've not looked at the code to see
if that would cause a bomb-out but the risk with playing in the database
file, although it's just a flat file, and/or the serial number index is
that you can wind up with conflicts.
The "ca" function in openssl lacks the sort of robustness and "don't do
that" sort of protections that one would expect in a "production"
setting. That's not say it can't be used that way but quite a bit of
care is required to do so successfully, and toying around in the
database structure by hand is rather removed from that degree of care.
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190514/89310880/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190514/89310880/attachment-0001.bin>
More information about the openssl-users
mailing list