CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

[redirecting this discussion to a more appropriate list]

On 19.06.2013 22:46, Bas van den Dikkenberg wrote:
> Why not build in a check that checks if a serial is free if not next one etc
> etc ?

Well, if we were writing this software from scratch, that could be a very
sensible thing to do. However, on this production server we are using the
standard openssl software for signing certificates in CA style. This software
complains and blocks on encountering a duplicate serial number. When used
properly *from day one* on, duplicate serial numbers *cannot* happen with
this software, so this is quite reasonable behaviour.

But we have learned now that somewhere in the grey past (in the 2007 time
frame, before strict policies were in place, and before the servers were
located in  and operated from Holland), a bump down of the class 3 serial
number must have been performed without taking care of the ensuing issues.
This action left kind of a 'time bomb' in the system, which has hit us now.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature