How to change the Serial Number of an OpenSSL certificate?

How to change the Serial Number of an OpenSSL certificate?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to change the Serial Number of an OpenSSL certificate? Ramon F Herrera 06-03-2007
Posted by Ramon F Herrera on June 3, 2007, 5:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

The dovecot (IMAP server) software comes with the script plus config
file included below. Due to Thunderbird's complaints about the
duplicate serial number I have been trying to change it. One of my
attempts was to add this line:

SN=1

It seemed to work, but when Thunderbird examines the certitficate, it
still says: "Serial Number: 0".

How can I update that serial number?

TIA,

-Ramon F Herrera

--------------------------------------------------------------------
dovecot-openssl.cnf file:
--------------------------------------------------------------------
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=imap.example.com

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

--------------------------------------------------------------------
mkcert.sh file:
--------------------------------------------------------------------
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=$
SSLDIR=$
OPENSSLCONFIG=$

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2


Posted by Ramon F Herrera on June 3, 2007, 6:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> The dovecot (IMAP server) software comes with the script plus config
> file included below. Due to Thunderbird's complaints about the
> duplicate serial number I have been trying to change it. One of my
> attempts was to add this line:
>
> SN=1
>
> It seemed to work, but when Thunderbird examines the certitficate, it
> still says: "Serial Number: 0".
>
> How can I update that serial number?
>
> TIA,
>
> -Ramon F Herrera
>
> --------------------------------------------------------------------
> dovecot-openssl.cnf file:
> --------------------------------------------------------------------
> [ req ]
> default_bits = 1024
> encrypt_key = yes
> distinguished_name = req_dn
> x509_extensions = cert_type
> prompt = no
>
> [ req_dn ]
> # country (2 letter code)
> #C=FI
>
> # State or Province Name (full name)
> #ST=
>
> # Locality Name (eg. city)
> #L=Helsinki
>
> # Organization (eg. company)
> #O=Dovecot
>
> # Organizational Unit Name (eg. section)
> OU=IMAP server
>
> # Common Name (*.example.com is also possible)
> CN=imap.example.com
>
> # E-mail contact
> emailAddress=postmas...@example.com
>
> [ cert_type ]
> nsCertType = server
>
> --------------------------------------------------------------------
> mkcert.sh file:
> --------------------------------------------------------------------
> #!/bin/sh
>
> # Generates a self-signed certificate.
> # Edit dovecot-openssl.cnf before running this.
>
> OPENSSL=$
> SSLDIR=$
> OPENSSLCONFIG=$
>
> CERTDIR=$SSLDIR/certs
> KEYDIR=$SSLDIR/private
>
> CERTFILE=$CERTDIR/dovecot.pem
> KEYFILE=$KEYDIR/dovecot.pem
>
> if [ ! -d $CERTDIR ]; then
> echo "$SSLDIR/certs directory doesn't exist"
> exit 1
> fi
>
> if [ ! -d $KEYDIR ]; then
> echo "$SSLDIR/private directory doesn't exist"
> exit 1
> fi
>
> if [ -f $CERTFILE ]; then
> echo "$CERTFILE already exists, won't overwrite"
> exit 1
> fi
>
> if [ -f $KEYFILE ]; then
> echo "$KEYFILE already exists, won't overwrite"
> exit 1
> fi
>
> $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
> keyout $KEYFILE -days 365 || exit 2
> chmod 0600 $KEYFILE
> echo
> $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2


I fixed this by going into Thunderbird's option menu and removing the
old certificates.

Still, I am curious: What's the deal with Serial Numbers?

-Ramon



Posted by Sylvain Robitaille on June 4, 2007, 12:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Ramon F Herrera wrote:

> Still, I am curious: What's the deal with Serial Numbers?

Someone will certainly correct me on this if I'm mistaken, or omitting
an importantr detail, but I believe the serial number is used by the CA
at certificate-revocation time.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Posted by Ulf Leichsenring on June 5, 2007, 5:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> How can I update that serial number?

You can't change the serial number of a certificate after it was
created. The serial number is part of the signed certificate.
Inside a CA every certificate get its own unique serial number to
identify the certificate (e.g. for revocation etc.).
If you nedd to have a new serial number you have to revoke this
certificate and gegenrate a new one by the CA.

Ulf

Posted by Ramon F Herrera on June 5, 2007, 3:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> > How can I update that serial number?
>
> You can't change the serial number of a certificate
> after it was created.

I realize that. I am my own CA, using 'openssl' as explained in my OP.
My question is: how can I specify to the system: "this certificate
that you are making for me should have serial number 2"?

My wild guess was to add this line:

SN=2

I also tried NS=2 (note the transposed letters), which predictably was
rejected as an unknown variable, so we know that SN is a recognized
variable. Hopefully it means "Serial Number".

However, when the certificate is examined by Thunderbird, it always
shows Serial Number = 0.

-Ramon



Similar ThreadsPosted
Reading Pentium III serial number (PSN) February 8, 2007, 7:11 pm
Howto setup a certificate authority and create a signed certificate using openssl on Debian sarge March 16, 2005, 10:39 am
An unexpected "System Settings Change" January 11, 2005, 2:19 pm
How to change the email-Adresse of a public PGP key? September 26, 2005, 5:28 pm
Suggestions for programmer considering career change? March 8, 2006, 8:47 pm
Win2K/XP: Does there happen to be malware around which can change ADMIN PASSWORD? March 3, 2006, 12:36 pm
SSRT2310 rev.3 HP-UX OpenSSL July 5, 2004, 3:28 pm
howto: openssl and sslserver June 11, 2006, 12:15 pm
SSRT3521 rev.2 HP-UX OpenSSL CBC timing attack in SSL and TLS July 5, 2004, 3:32 pm
openssl genrsa does not work in CGI mode March 28, 2005, 1:51 am

The site map in XML format XML site map

Contact Us | Privacy Policy