SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Article ID: 273656
Updated On:
Products
Issue/Introduction
CA Directory is configured as Policy Store.
CADIR1 and CADIR2 are in replication and have SSL enabled.
Policy Server fails to connect to CADIR2 via SSL.
Environment
Release : 12.8.07
Cause
There was a problem with generating the certificate.
Following command was used to generate the DSA certificate.
On CADIR1:
./dxcertgen -D CADIR1 -i "CN=DXCertGenCA,OU=SSO,O=TEST,C=AU" -d 3650 certs
On CADIR2:
./dxcertgen -D CADIR2 -i "CN=DXCertGenCA,OU=SSO,O=TEST,C=AU" -d 3650 certs
This resulted in generating RootCA for each DSA instances with the same IssuerDN (but may result in different serial number)
RootCA certificate from CADIR1 was imported to cert9.db using certutil command successfully.
But when importing the RootCA from CADIR2, following error is reported.
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Policy Server will not be able to connect to CADIR2 if the Issuer certificate is not imported into cert9.db as trusted CA.
Resolution
Ensure when generating a new CA using dxcertgen, the IssuerDN is a unique DN.
The RootCA certificate is not for securing DSA instances, they should be used for issueing DSA certificate.
Or the dxcertgen can be used to generate keypair for the DSA and CSR to be signed by other CA.
Then the CA certificate chain that issued the DSA certificate should be imported into the cert9.db using certutil at the Policy Server.
Additional Information
Feedback
