|Applies To||Keon Certificate Authority 6.0.2|
Microsoft Windows 2000 Professional SP2
|Issue||X.509 certificate serial numbers|
An Apache web server fails to correctly identify the signer of a certificate when the certificate serial number has leading zeroes.
|Cause||The Apache version 2.x Web Server uses a version of mod_ssl, which is using a comparison mechanism to identify a certificate by its serial number. However, it fails to identify certificates that have leading zeroes.|
Using various tools, you can examine a certificate. If you display the certificate in KCA, you see the following:
Serial No.: A43043DAB7F6F8AE115E94854EEB6529
Using a Netscape browser or utilities supplied with OpenSSL (or BSAFE SSL-C), the serial number may be displayed as:
Using Microsoft Internet Explorer you can see the following:
00A4 3043 DAB7 F6F8 AE11 5E94 854E EB65 29
In the X.509 specification, a certificate serial number is defined as INTEGER. This means all of the display formats are valid (because they are displaying an integer converted to a hexadecimal display value), and if you compared any two as integers, they would be considered equivalent.
|Resolution||This problem is not related to RSA Security code and must be resolved by a modification to the serial number comparison routine within the mod_ssl module. Note also that Apache 1.3.x has not been seen to suffer from this problem. For further information please see http://www.apache.org and http://httpd.apache.org.|
|Legacy Article ID||a13411|