Certificate server issues default certificates with identical serial numbers

  • 3007510
  • 30-May-2007
  • 26-Apr-2012


Novell eDirectory for NetWare 6.5
Novell NetWare 6.5 Support Pack 5
Novell International Cryptographic Infrastructure (NICI) 2.67
Novell Certificate Server (PKIS) 2.76

All servers have been installed into a new eDirectory tree using the NetWare 6.5 Support Pack 5 overlay installation CD
The first server installed into the eDirectory tree is acting as Certificate Authority (CA)


1) The default server certificates "SSL CertificateIP - servername"
issued by the Novell eDirectory Certificate Authority do not store a unique serial numbers.

2) Mozilla Forefox returns
ERROR: You have received an invalid certificate. Please contact the server administrator or email
correspondent and give them the following information:

Your certificate contains the same number as another certificate issued by the
certificate authority. Please get a new certificate containing a unique serial number.


The fix for this issue will be in NICI Version 2.72 shipped with the next security services patch (version 204)

1) delete the default Certificates
2) use PKIDIAG.NLM to generate new default Certificates


Reported to Engineering

Additional Information

Steps to duplicate the Problem
1) Install at least two new NetWare 6.5 Support Pack 5 servers into a new tree
2) For each server verify the details of the default server certificates (SSL CertificatesIP, SSL CertificateDNS)
2.1) Start iManager
2.2) Select Modify Object from the Directory Administration Roles and Tasks menu
2.3) Navigate to the container storing the NCP server objects
2.4) Choose a default server certificate and open the Public Key Certificate menu under the Certificates tab
2.5) Open the details and check the Serial Number attribute under the X.509 Certificate section

1) rfc3280 states: Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative

2) For Novell Certificate Server NICI is responsible for generating the serial numbers