Bug #11514
closedRenewing a self-signed CA or certificate does not update the serial number
100%
Description
When renewing a self-signed CA entry or self-signed certificate in the GUI the serial number is not replaced with a new one. The main example of this is the automatic GUI cert, which has a serial of 0
before and 0
after renewal.
Since the serial is not replaced, some clients such as Firefox reject the cert change if the old one was stored (e.g. SEC_ERROR_REUSED_ISSUER_AND_SERIAL
error).
Since it's self-signed the serial can be randomized safely.
The serial is replaced as expected when renewing a regular certificate.
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 4aa7c7aefc273464b8e66e6176a860b0246f8ee9.
Updated by Danilo Zrenjanin almost 4 years ago
- Status changed from Feedback to Resolved
Tested on the latest release.
Renewed certificate got a new serial number. It works as expected. Ticket resolved.
Updated by Jim Pingle almost 4 years ago
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho almost 4 years ago
- Status changed from Resolved to Feedback
Needed to be tested on 2.5.1-RC
Updated by Jim Pingle almost 4 years ago
To test, on 2.5.0 or 21.02-p1:
- Generate a fresh self-signed GUI cert at an SSH or console shell prompt:
pfSsh.php playback generateguicert
- Access the GUI from Firefox, accept the self-signed certificate
- Navigate to System > Cert Manager, Certificates tab
- Renew the GUI certificate, note that the serial is 0 (or may not be printed at all) and is still 0 after renewal.
- Attempt to access another page in the GUI, and Firefox will reject the certificate as mentioned in the description above.
Repeat the test on a snapshot with the fix and the serial should be randomized and different before/after renewal, and it will not be rejected by Firefox.
Updated by Jim Pingle almost 4 years ago
- Subject changed from Renewing a self-signed CA or self-signed certificate does not update the serial to Renewing a self-signed CA or certificate does not update the serial number
Updating subject for release notes.