Don't generate certificates with the same serial number as the CA

Bug discovered using an old version of curl relying on the NSS library: the certificates generated by the context broker are rejected with error -8054: SEC_ERROR_REUSED_ISSUER_AND_SERIAL. This is because we use the same serial number as the CA in the generated certificates. Fixed by incrementing the serial number by one. (cherry picked from commit b7e3a0d40e5d4a9f20080f2a67858da1fe72fc72) (Fix for Bug 7042)
nimbusproject · Jun 8, 2010 · 152442f · 152442f
1 parent e8939b9
commit 152442f
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/ctx-broker/src/org/nimbustools/ctxbroker/security/CertificateAuthority.java b/ctx-broker/src/org/nimbustools/ctxbroker/security/CertificateAuthority.java
@@ -47,6 +47,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
 
 public class CertificateAuthority {
 
@@ -198,7 +199,7 @@ private String getTargetDN(String cnString) {
     private void initializeGenerator() {
         this.certGen.reset();
 
-        this.certGen.setSerialNumber(this.caX509.getSerialNumber());
+        this.certGen.setSerialNumber(this.caX509.getSerialNumber().add(BigInteger.ONE));
         this.certGen.setSignatureAlgorithm(this.caX509.getSigAlgName());
         this.certGen.setIssuerDN(this.caX509Name);