Duplicated SerialNumber Cert
-
I'm using around 80 user certificates on openVpn connections. I also use the revocation lists (CRL). Last week I discovered an issue: duplicates SerialNumbers (generated by the same CA). This issue took me too many time. I have a powershell script to search duplicate SerialNumber. If you have duplicated serial numbers and you are using CRLs to invalidate certificates, you sould to revoke every certificate with not unique SerialNumber (per CA) and to generate new ones. The script available at https://pastebin.com/JFNPSagN
https://github.com/alvarsedano/pfSense-Certificate-Viewer
I hope it can be useful.
-
@al_sedano said in Duplicated SerialNumber Cert:
I'm using around 80 user certificates on openVpn connections. I also use the revocation lists (CRL). Last week I discovered an issue: duplicates SerialNumbers (generated by the same CA). This issue took me too many time. I have a powershell script to search duplicate SerialNumber. If you have duplicated serial numbers and you are using CRLs to invalidate certificates, you sould to revoke every certificate with not unique SerialNumber (per CA) and to generate new ones. The script available at https://pastebin.com/JFNPSagN
I hope it can be useful.Duplicate Certs example
Duplicated Serial Numbers (per CA)Issuer SerialNumber FriendlyName DnsNameList Subject
internal-ca 2F 5b55afd4962b3 {alopez} alopez
internal-ca 2F 5b6021151d87c {berchules2} berchules2
internal-ca 30 5b55b00e16bb3 {auditores1} auditores1
internal-ca 30 5ba4a21be1e42 {lhEntrada} lhEntrada
internal-ca 31 5b55b04689a50 {berchules} berchules
internal-ca 31 5ba4a24d7c5c1 {lhPuesto} lhPuesto
internal-ca 32 5b55b076b725e {cgomez} cgomez
internal-ca 32 5ba9ee754e885 {lhSalida} lhSalida
-
Last improved version. Now it admits input file path from console, and shows the CRLs in which the cert is revoked.
https://github.com/alvarsedano/pfSense-Certificate-Viewer
-
For info:
https://redmine.pfsense.org/issues/3694
https://forum.netgate.com/topic/69978/generated-certificates-with-non-unique-serial-numbers/2
-
@Pippin Thank you for show me the origin of the issue. Pointed on github.
