Generating Duplicate Certifiates with OpenSSL CARHEL6 openssl + httpd confusionWant a sha256 ssl cert,but i...
Can a creature sustain itself by eating its own severed body parts?
Table Formatting Suggestion
Are there foods that astronauts are explicitly never allowed to eat?
Did Hitler say this quote about education?
"This used to be my phone number"
Is it ethical to tell my teaching assistant that I like them?
Improving an O(N^2) function (all entities iterating over all other entities)
Will copper pour help on my single-layer PCB?
Formating slide
Making a Dataset that emulates `ls -tlra`?
How to tell readers that I know my story is factually incorrect?
Masyu-making game
What's the largest an Earth-like planet can be and support Earth's biosphere?
Three Subway Escalators
Could Europeans in Europe demand protection under UN Declaration on the Rights of Indigenous Peoples?
What are my hardware upgrade optoins for a late 2009 iMac?
The most secure way to handle someone forgetting to verify their account?
What makes MOVEQ quicker than a normal MOVE in 68000 assembly?
"Je suis petite, moi?", purpose of the "moi"?
Is encryption still applied if you ignore the SSL certificate warning for self-signed certs?
Why is the Intel 8086 CPU called a 16-bit CPU?
A "Replace" sort problem. Basic but haunts me
Consequences of stalling while sideslipping in a glider?
When we are talking about black hole evaporation - what exactly happens?
Generating Duplicate Certifiates with OpenSSL CA
RHEL6 openssl + httpd confusionWant a sha256 ssl cert,but i get sha1,why?trying a new 2016 openssl package, but still see the old 2012 version. Ubuntu 12.04OpenSSL converting chars to UTF-8 literalsHow do I find the ultimate CA cert in a 'valid' certificateCreating a *.local ssl certificateLocal SSL Certificates in Chrom(e/ium) 63openssl command queries NGINX by ip and not hostnameError using openssl with socat - SSL3_CHECK_CERT_AND_ALGORITHM:dh key too smallSSL Cert in Keystore and Browser cert are different
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
At work a lot of our internal servers have SSL certs we've generated ourselves with openssl (through some simple scripts). The generation works fine, but the subsequent handling needs improvements, as a consequence we've lost any non-encrypted copy of the SSL cert for a server. The consequence is just that we'll have to spend some time making a new cert and deploying it, but this leads me to the problem.
When I try to create a new SSL cert for internal.server.company, openssl fails at the end of the process with
failed to update database
TXT_DB error number 2
because there is already a certificate for that host in the database.
If the old cert had expired, I believe openssl ca -updatedb would remove it from the database, but that is not the case.
I can work around it by opening (the relevant) index.txt in an editor, search for internal.server.company and delete the line found - but that seems like a hack. Is there a good way to make openssl accept that I want to make a new cert for name that i thinks already has a cert?
openssl
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
add a comment |
At work a lot of our internal servers have SSL certs we've generated ourselves with openssl (through some simple scripts). The generation works fine, but the subsequent handling needs improvements, as a consequence we've lost any non-encrypted copy of the SSL cert for a server. The consequence is just that we'll have to spend some time making a new cert and deploying it, but this leads me to the problem.
When I try to create a new SSL cert for internal.server.company, openssl fails at the end of the process with
failed to update database
TXT_DB error number 2
because there is already a certificate for that host in the database.
If the old cert had expired, I believe openssl ca -updatedb would remove it from the database, but that is not the case.
I can work around it by opening (the relevant) index.txt in an editor, search for internal.server.company and delete the line found - but that seems like a hack. Is there a good way to make openssl accept that I want to make a new cert for name that i thinks already has a cert?
openssl
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
add a comment |
At work a lot of our internal servers have SSL certs we've generated ourselves with openssl (through some simple scripts). The generation works fine, but the subsequent handling needs improvements, as a consequence we've lost any non-encrypted copy of the SSL cert for a server. The consequence is just that we'll have to spend some time making a new cert and deploying it, but this leads me to the problem.
When I try to create a new SSL cert for internal.server.company, openssl fails at the end of the process with
failed to update database
TXT_DB error number 2
because there is already a certificate for that host in the database.
If the old cert had expired, I believe openssl ca -updatedb would remove it from the database, but that is not the case.
I can work around it by opening (the relevant) index.txt in an editor, search for internal.server.company and delete the line found - but that seems like a hack. Is there a good way to make openssl accept that I want to make a new cert for name that i thinks already has a cert?
openssl
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
At work a lot of our internal servers have SSL certs we've generated ourselves with openssl (through some simple scripts). The generation works fine, but the subsequent handling needs improvements, as a consequence we've lost any non-encrypted copy of the SSL cert for a server. The consequence is just that we'll have to spend some time making a new cert and deploying it, but this leads me to the problem.
When I try to create a new SSL cert for internal.server.company, openssl fails at the end of the process with
failed to update database
TXT_DB error number 2
because there is already a certificate for that host in the database.
If the old cert had expired, I believe openssl ca -updatedb would remove it from the database, but that is not the case.
I can work around it by opening (the relevant) index.txt in an editor, search for internal.server.company and delete the line found - but that seems like a hack. Is there a good way to make openssl accept that I want to make a new cert for name that i thinks already has a cert?
openssl
openssl
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
edited 30 mins ago
garethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
25.6k3 gold badges65 silver badges85 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
asked Aug 10 '18 at 14:27
HenrikHenrik
3,7151 gold badge5 silver badges21 bronze badges
3,7151 gold badge5 silver badges21 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
In the same folder as your database (the index or index.txt file) create a file index.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the openssl.cnf file you're using for something like the following:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt
In the above example, the database is index.txt and resides in ./demoCA. You'll therefore need to place your new index.attr file in ./demoCA.
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461818%2fgenerating-duplicate-certifiates-with-openssl-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In the same folder as your database (the index or index.txt file) create a file index.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the openssl.cnf file you're using for something like the following:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt
In the above example, the database is index.txt and resides in ./demoCA. You'll therefore need to place your new index.attr file in ./demoCA.
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
add a comment |
In the same folder as your database (the index or index.txt file) create a file index.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the openssl.cnf file you're using for something like the following:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt
In the above example, the database is index.txt and resides in ./demoCA. You'll therefore need to place your new index.attr file in ./demoCA.
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
add a comment |
In the same folder as your database (the index or index.txt file) create a file index.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the openssl.cnf file you're using for something like the following:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt
In the above example, the database is index.txt and resides in ./demoCA. You'll therefore need to place your new index.attr file in ./demoCA.
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
In the same folder as your database (the index or index.txt file) create a file index.attr and add the following:
unique_subject = no
If you're unsure where your database file is located, check the openssl.cnf file you're using for something like the following:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt
In the above example, the database is index.txt and resides in ./demoCA. You'll therefore need to place your new index.attr file in ./demoCA.
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
answered Aug 10 '18 at 14:42
garethTheRedgarethTheRed
25.6k3 gold badges65 silver badges85 bronze badges
25.6k3 gold badges65 silver badges85 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461818%2fgenerating-duplicate-certifiates-with-openssl-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
