Generated certificates with non-unique serial numbers


  • Hi,

    I just open a new issue (https://redmine.pfsense.org/issues/3694) on the bug tracker because a certificate that is not in a CRL is treat as REVOKED.
    Jim P. gave me a hint : certificates may have non-unique serial numbers. He was right.

    But that leads to another question :
    Why did pfSense generate 2 certificates with the same serial number ? And how to prevent that ?

  • Rebel Alliance Developer Netgate

    The usual way that happens is that the CA was made somewhere else and then imported into pfSense, but when it was imported, the serial field was not set to a number higher than your existing certificates.

    If it was created completely inside pfSense, then I can't see how it would have ever made a duplicate.


  • Are we talking about the counter that starts from one when the CA is created? It doesn't make sense that the revocation list stops working if there's a problem with a simple counter that is not even included in the created certificates, there must some way around this.

  • Rebel Alliance Developer Netgate

    Yes, and it makes sense because of how certificate revocation works, but you are wrong that the counter isn't included in the certificate – it is. It's the certificates serial number. It's not included in the CA.

    When you import a CA, there is no way in the CA to determine how many certificates it has generated. It's up to the user to inform the system what the next serial number should be.

    For setups created in pfsense it's tracked internally and you can't get a conflict (unless you somehow manually roll back the serial value on the CA entry...)

  • Rebel Alliance Developer Netgate

    If you had used EasyRSA on pfSense 1.2.x to make the certificates and imported the CA from there, you have to be careful to get the serial number from EasyRSA when importing. EasyRSA tracked it in a separate text file. See https://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x