Project

General

Profile

Bug #11514

Updated by Jim Pingle about 3 years ago

When renewing a self-signed CA entry or self-signed certificate in the GUI the serial number is not replaced with a new one. The main example of this is the automatic GUI cert, which has a serial of @0@ `0` before and @0@ `0` after renewal. 

 Since the serial is not replaced, some clients such as Firefox reject the cert change if the old one was stored (e.g. @SEC_ERROR_REUSED_ISSUER_AND_SERIAL@ error). 

 Since it's self-signed the serial can be randomized safely. 

 The serial is replaced as expected when renewing a regular certificate.

Back