On 03/06/2014 10:10 AM, Morris, Andi wrote:
However, I've just spotted that I had the same commonName for both my server.cnf and ca.cnf.
That's a problem and one I've see others make. Any cert whose subject and issuer are identical is considered a self-signed cert and you won't "chain up" to the signing CA cert. It also become ambiguous when both certs are present. Each X509 library may handle this differently so you may get different results depending on the implementation. The simple answer is "don't do it", it just creates problems. FWIW certs are disambiguated by the <subject, serial> pair, CA's are never supposed to issue a cert with a previously used serial number. But the issuer field in a cert only contains a subject, this is why you'll often see the serial embedded in the subject of an issuer cert, it helps to properly identify the correct issuer cert. -- John