How do I issue multiple certificates for the same Common Name?
Solution 1
Do you need dupes? Traditionally browsers and clients required that the CommonName field of the Subject name match the hostname; modern ones prefer that an entry in the SubjectAlternativeName (SAN) extension do so. You can set other fields to differ e.g.
O=Floo Manufacturing, OU=floo server 2016, CN=www.floo.example.com
O=Floo Manufacturing, OU=floo server 2017, CN=www.floo.example.com
and the Subject DNs are unique even though CommonName by itself is not.
Or with modern clients you could put www.floo.example.com in SAN and use unique Subjects with no CommonName at all. But getting openssl to do per-cert SAN is a bit inconvenient; see e.g. https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san
To allow dupes: the official way
In your config file (which is $CAROOT/intermediate/openssl.cnf) go to the 'section' (delimited by lines of the form [somename] with optional whitespace) for your CA. Since you didn't use -name on the commandline the section name is the value of default_ca in the [ca] section or the default section (at the top before the first [somename] line); looking near your link it's probably [CA_default]. Add a line
unique_subject=no
with spacing and following # comment optional. Or if you already have a line for this item change and/or uncomment it, but looking near your link you probably don't.
See man page ca(1ssl) on your system or the web under CONFIGURATION FILE OPTIONS.
To allow dupes: the unofficial way
Empty (truncate) the configured database file which is conventionally index.txt and looking near your link they apparently use that. Or edit that file and delete the line(s) for the subject(s) you want to re-use -- but in this situation it looks like you have only one or a few and you want to re-use it or all of them, so emptying the file is simpler.
Solution 2
If you want to create multiple certificates with the same subject, you can change your configuration like that:
You can change in the CA section (probably [CA_default]) in your openssl.cnf the setting
unique_subject = no
But this setting is also saved in file index.txt.attr, you have to change this, too. Otherwise it will not work.
Related videos on Youtube
![How to Auto Generate Certificates & Email to All participants-[Google Form]](https://i.ytimg.com/vi/-T-C_yE4Idw/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBET8y40yMUPiGh57iLA97upnOcbg)
08 : 44
![How to Auto Generate Certificates With Different Name of Participants-[Microsoft Word]](https://i.ytimg.com/vi/Kgj2CUZpKFg/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC0GKLIJ5OFjBc2GYnvtli6SV_Lsg)
07 : 49
06 : 13
03 : 16
02 : 54
Comments
-
spraff over 1 year
I am creating a Certificate Authority for an intranet.
I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has
CN=mysite.com.In the future this server certificate will expire and I will need to issue a new one. However, if I create another CSR with the same
CN=mysite.comthen when I sign it I getfailed to update database TXT_DB error number 2This error goes away if I create a new CSR with a different CN, but the CNs have to be the same or the browser won't say it's valid, right?
How do I fix this?
EDIT: I'm following this guide -- everything's fine up until the end of the linked page, but when I try to repeat the steps on this page to create a second certificate, openssl demands that I give the new certificate a different CN.
SUBJ="/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=$CN" # Generate CSR echo "$PW" | openssl req \ -config "$CAROOT/intermediate/openssl.cnf" \ -new -sha256 -subj "$SUBJ" -passin stdin \ -key "$PRIV_ENC" -out "$CSR_INT" >/dev/null 2>&1 || { >&2 echo "Could not openssl req"; exit 1; } # Sign CSR openssl ca \ -config "$CAROOT/intermediate/openssl.cnf" \ -batch -extensions server_cert \ -days "$HTTP_DAYS" -notext -md sha256 \ -in "$CSR_INT" -out "$CRT_INT" || { >&2 echo "Could not openssl ca"; exit 1; }It's the
openssl cawhich fails.-
Orphans over 7 yearsCan you please elaborate your process? It seems like you are doing it all wrong -
spraff over 7 years@Orphans I edited it to link more info.
-
Zoredache over 7 yearsIf you are using openssl via the cli, can you include the actually command line you are using that results in the error condition?
-
-
spraff over 7 yearsTL;DR -- change
OUto some variation. -
kbolino about 4 yearsGiven that certs expire more often than CAs, what is the "proper" way to reissue a cert when it expires or is about to expire?
-
dave_thompson_085 about 4 years@kbolino: depending on how or for what they are used, I would say either tweaking Subject or setting unique_subject=no could be proper.
-
Digital ink over 3 yearsAlthough less detailed, this answer was more helpful due to it mention of the index.txt.attr file.
-
bigbear3001 over 3 yearsfor me i just needed to change the
index.txt.attrfile and no settings inopenssl.cnf
