2

I've set up my own CA following the directions from Jamie and issued my first certs a year ago happily. They have now expired, but I'm having a devils own time trying to renew them.

I have tried the code I used to create the certs in the first place, giving it a different output name, but I'm getting an error.

openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in intermediate/csr/blahapi2.csr.pem -out intermediate/certs/blahapi2.cert.pem 
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=AU/ST=Victoria/O=MD/CN=blahapi.there.com.au/emailAddress=pnunn@example.com
The matching entry has the following details
Type          :Valid
Expires on    :220501022116Z
Serial Number :1000
File name     :unknown
Subject Name  :/C=AU/ST=Victoria/O=MD/CN=blahapi.there.com.au/emailAddress=pnunn@example.com

I guess there is another way to renew a certificate with the same credentials, but I can't find it anywhere.

Clues?

Peter Nunn
  • 2,110
  • 3
  • 29
  • 44

1 Answers1

3

In home directory of CA. You need to fire below command and try signing again.

echo "unique_subject = no" >> index.txt.attr

You are getting this error because there is already an entry present in your CA database with same SAN. You can avoid this error by configuring CA to allow signing for non-Unique SAN.

Explanation: CA database is commonly saved in index.txt file. With above command we are setting attribute to sign non-unique Subject or Common-name or SAN.

Shubham Singh
  • 141
  • 2
  • 7