Certificates can be created with same serial as imported certificates [Solved]



  • Hi! I ran in to the following issue today.
    When new certificates are created, it is not verified if the serial number already exists.

    If a set of certificates are imported with higher serial number than the counter for the certificate manager has for stamping serial numbers, the numbers will ultimately collide and certificates will be created with the same serial number. And there is no way of manually setting the serial number from what i understand.

    So the way to go about fixing this was to create a set of "dummy" certificates. Which was fine for me in this instance since it was a small amount of imported certificates I needed to be taken account for.

    I thought of this as a heads up for all you you that has a couple of certificates imported.
    Has anyone else experienced this?
    In my opinion the serial number should be verified by the certificate manager to be unique (within that specific CA of course) before the certificate is stamped with it. or at least give me a warning.

    Issue found in: 2.4.4-RELEASE-p2


  • LAYER 8

    https://forum.netgate.com/topic/69978/generated-certificates-with-non-unique-serial-numbers/2

    When you import a CA, there is no way in the CA to determine how many certificates it has generated. It's up to the user to inform the system what the next serial number should be.


  • LAYER 8 Netgate

    I would not report any issues on anything but the current version, which is 2.4.4-p3.

    That said, it is incumbent upon the administrator to issue certificates with the correct and expected serial numbers. The field is right there to manipulate in the CA properties.

    b8d59209-4cf5-48e7-89c4-ff8d2e91cc4d-image.png

    This sort of falls into the "can only prevent so much foot-shooting" category. With that CA serial number setting, the certificate generator is only doing as it has been told.

    If a feature request does not exist for this at https://redmine.pfsense.org/ one can be created.



  • That's nice! Thanks for the reply, that solves much of the issue.
    I simply did not find the Serial for next certificate since I had my mind wrapped around looking in the settings for the certificate creation, not editing the CA. My bad!
    how much help you give the user is always something that can be discussed, but sure I can agree with this as long as the serial can be changed.

    Thanks for the quick reply!


Log in to reply