headers
Dr. Stephen Henson | 2 Sep 2002 14:07
Picon
Favicon

Re: [openssl.org #248] bad serial number length

On Mon, Sep 02, 2002, Olaf Zaplinski via RT wrote:

> 
> Stephen Henson via RT wrote:
> > [olaf <at> zaplinski.de - Mon Aug 26 10:33:29 2002]:
> > 
> > 
> >>I found the solution: I just commented out the lines 675-676 in
> > 
> > apps/ca.c - 
> > 
> >>now everything works as expected.
> >>
> > 
> > 
> > Since this just disables the check it isn't a good idea.
> 
> It is not disabled - some other check then tells me what went wrong when I 
> force an error by editing the serial file. This error message (which I don't 
> remember) was far better than that simple 'bad serial number length' which 
> does not mean more that 'ouch' to me. ;-)
> 

Its checking for errors in index.txt, not serial.

> > The error message suggested that index.txt has somehow had an invalid
> > serial number written to it. What does you index.txt and your serial
> > file look like when you get this message?
> 
> This is what I did after 'make install':
> 
> cd /usr/local/ssl
> mkdir rootCA
> [edited openssl.cnf and adjusted the paths accordingly]
> cd rootCA
> touch index.txt
> [edited serial and inserted one line containing '00']
> 
> So index.txt was a zero byte file, serial contains '00'.
> 
> Then I created the CA and the 1st server cert w/o problems. The 2nd cert 
> signing fails then.
> 

Yes but what does index.txt and serial contain after the error? Can you send
them to me, not just a description because it may be one stray character
that is confusing 'ca'.

> BTW, it would be great if 'make install' would setup the demoCA directory 
> with proper index.txt and serial (AFAIK this was the case for older versions).
> 

The command CA.pl -newca does that. Can you check if a demoCA created with
CA.pl -newca also produces this error?

Steve.
--
Dr. Stephen Henson      steve <at> openssl.org            
OpenSSL Project         http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org
Permalink | Reply |

Gmane