How to change the Serial Number of an OpenSSL certificate?

The dovecot (IMAP server) software comes with the script plus config
file included below. Due to Thunderbird's complaints about the
duplicate serial number I have been trying to change it. One of my
attempts was to add this line:

SN=1

It seemed to work, but when Thunderbird examines the certitficate, it
still says: "Serial Number: 0".

How can I update that serial number?

TIA,

-Ramon F Herrera

------------------------------------------------------------ --------
dovecot-openssl.cnf file:
------------------------------------------------------------ --------
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=imap.example.com

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

------------------------------------------------------------ --------
mkcert.sh file:
------------------------------------------------------------ --------
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

Re: How to change the Serial Number of an OpenSSL certificate?

On Jun 3, 4:29 pm, Ramon F Herrera wrote:
> The dovecot (IMAP server) software comes with the script plus config
> file included below. Due to Thunderbird's complaints about the
> duplicate serial number I have been trying to change it. One of my
> attempts was to add this line:
>
> SN=1
>
> It seemed to work, but when Thunderbird examines the certitficate, it
> still says: "Serial Number: 0".
>
> How can I update that serial number?
>
> TIA,
>
> -Ramon F Herrera
>
> ------------------------------------------------------------ --------
> dovecot-openssl.cnf file:
> ------------------------------------------------------------ --------
> [ req ]
> default_bits = 1024
> encrypt_key = yes
> distinguished_name = req_dn
> x509_extensions = cert_type
> prompt = no
>
> [ req_dn ]
> # country (2 letter code)
> #C=FI
>
> # State or Province Name (full name)
> #ST=
>
> # Locality Name (eg. city)
> #L=Helsinki
>
> # Organization (eg. company)
> #O=Dovecot
>
> # Organizational Unit Name (eg. section)
> OU=IMAP server
>
> # Common Name (*.example.com is also possible)
> CN=imap.example.com
>
> # E-mail contact
> emailAddress=postmas...@example.com
>
> [ cert_type ]
> nsCertType = server
>
> ------------------------------------------------------------ --------
> mkcert.sh file:
> ------------------------------------------------------------ --------
> #!/bin/sh
>
> # Generates a self-signed certificate.
> # Edit dovecot-openssl.cnf before running this.
>
> OPENSSL=${OPENSSL-openssl}
> SSLDIR=${SSLDIR-/etc/ssl}
> OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
>
> CERTDIR=$SSLDIR/certs
> KEYDIR=$SSLDIR/private
>
> CERTFILE=$CERTDIR/dovecot.pem
> KEYFILE=$KEYDIR/dovecot.pem
>
> if [ ! -d $CERTDIR ]; then
> echo "$SSLDIR/certs directory doesn't exist"
> exit 1
> fi
>
> if [ ! -d $KEYDIR ]; then
> echo "$SSLDIR/private directory doesn't exist"
> exit 1
> fi
>
> if [ -f $CERTFILE ]; then
> echo "$CERTFILE already exists, won't overwrite"
> exit 1
> fi
>
> if [ -f $KEYFILE ]; then
> echo "$KEYFILE already exists, won't overwrite"
> exit 1
> fi
>
> $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -
> keyout $KEYFILE -days 365 || exit 2
> chmod 0600 $KEYFILE
> echo
> $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2


I fixed this by going into Thunderbird's option menu and removing the
old certificates.

Still, I am curious: What's the deal with Serial Numbers?

-Ramon

Re: How to change the Serial Number of an OpenSSL certificate?

Ramon F Herrera wrote:

> Still, I am curious: What's the deal with Serial Numbers?

Someone will certainly correct me on this if I'm mistaken, or omitting
an importantr detail, but I believe the serial number is used by the CA
at certificate-revocation time.

--
------------------------------------------------------------ ----------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
------------------------------------------------------------ ----------

Re: How to change the Serial Number of an OpenSSL certificate?

> How can I update that serial number?

You can't change the serial number of a certificate after it was
created. The serial number is part of the signed certificate.
Inside a CA every certificate get its own unique serial number to
identify the certificate (e.g. for revocation etc.).
If you nedd to have a new serial number you have to revoke this
certificate and gegenrate a new one by the CA.

Ulf

Re: How to specify the Serial Number of an OpenSSL certificate?

On Jun 5, 4:00 am, Ulf Leichsenring wrote:
> > How can I update that serial number?
>
> You can't change the serial number of a certificate
> after it was created.

I realize that. I am my own CA, using 'openssl' as explained in my OP.
My question is: how can I specify to the system: "this certificate
that you are making for me should have serial number 2"?

My wild guess was to add this line:

SN=2

I also tried NS=2 (note the transposed letters), which predictably was
rejected as an unknown variable, so we know that SN is a recognized
variable. Hopefully it means "Serial Number".

However, when the certificate is examined by Thunderbird, it always
shows Serial Number = 0.

-Ramon

Re: How to specify the Serial Number of an OpenSSL certificate?

Ramon F Herrera writes:
>On Jun 5, 4:00 am, Ulf Leichsenring wrote:
>> > How can I update that serial number?
>>
>> You can't change the serial number of a certificate
>> after it was created.

>I realize that. I am my own CA, using 'openssl' as explained in my OP.
>My question is: how can I specify to the system: "this certificate
>that you are making for me should have serial number 2"?

The stock 'openssl' commandset looks for the file 'serial' (or
whatever is pointed to by the environmental variable ENV_SERIAL)
which has to look just right (ie. even ammount of hex digits to be
able to turn them into bytes IIRC).

If it doesn't find this file, it punts and creates the serial number of '00'.

The CA.sh script has a -newca option that populates this file for you
magicly at 01. But since it uses all relative files with no directory
structure possible, you generally have to cd and run your CA.sh
file in order to utilize it the way it was (barely) designed.

I do wish there was a better PKI framework built around the OpenSSL
libs. Its clear the command line openssl isn't going to cut it, as
much as the OpenPKI and OpenCA projects are going to keep on trying.