Project

General

Profile

Bug #11514

Renewing a self-signed CA or certificate does not update the serial number

Added by Jim Pingle about 2 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
02/23/2021
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

When renewing a self-signed CA entry or self-signed certificate in the GUI the serial number is not replaced with a new one. The main example of this is the automatic GUI cert, which has a serial of 0 before and 0 after renewal.

Since the serial is not replaced, some clients such as Firefox reject the cert change if the old one was stored (e.g. SEC_ERROR_REUSED_ISSUER_AND_SERIAL error).

Since it's self-signed the serial can be randomized safely.

The serial is replaced as expected when renewing a regular certificate.

Associated revisions

Revision 4aa7c7ae (diff)
Added by Jim Pingle about 2 months ago

Improve CA/Self-Signed serial handling. Fixes #11514

Revision 3987c45b (diff)
Added by Jim Pingle about 2 months ago

Improve CA/Self-Signed serial handling. Fixes #11514

(cherry picked from commit 4aa7c7aefc273464b8e66e6176a860b0246f8ee9)

History

#1 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 2 months ago

  • Description updated (diff)

#3 Updated by Danilo Zrenjanin about 1 month ago

  • Status changed from Feedback to Resolved

Tested on the latest release.

Renewed certificate got a new serial number. It works as expected. Ticket resolved.

#4 Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.5.1

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Resolved to Feedback

Needed to be tested on 2.5.1-RC

#6 Updated by Jim Pingle about 1 month ago

To test, on 2.5.0 or 21.02-p1:

  • Generate a fresh self-signed GUI cert at an SSH or console shell prompt: pfSsh.php playback generateguicert
  • Access the GUI from Firefox, accept the self-signed certificate
  • Navigate to System > Cert Manager, Certificates tab
  • Renew the GUI certificate, note that the serial is 0 (or may not be printed at all) and is still 0 after renewal.
  • Attempt to access another page in the GUI, and Firefox will reject the certificate as mentioned in the description above.

Repeat the test on a snapshot with the fix and the serial should be randomized and different before/after renewal, and it will not be rejected by Firefox.

#7 Updated by Jim Pingle about 1 month ago

  • Subject changed from Renewing a self-signed CA or self-signed certificate does not update the serial to Renewing a self-signed CA or certificate does not update the serial number

Updating subject for release notes.

Also available in: Atom PDF