openssl serial number error "SEC_ERROR_REUSED_ISSUER_AND_SERIAL"

Question

I've been experimenting a bit with self-issued certificates.

I set up a certificate authority, issued a certificate, and installed it on a webserver. I later deleted that certificate without bothering to revoke it, and decremented the number in the serial.txt file which openssl was using. (There was no good reason to do so, but it seemed a harmless thing to do).

After that, I used the certificate authority to re-issue a new certificate. When I install that certificate on the webserver and access it, Firefox shows me an error:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

I assume I am getting this error because of the fact that I decremented the serial.txt file, so the newly issued certificate had the same serial number as an older incarnation.

My questions are:

• How does my browser know this? Does it keep a database somewhere of CA/serial numbers it has seen before?
• Why does it care? What security risk would be entailed if my browser just ignored the duplicate serial number?

Answer 1

How does my browser know this?

Firefox seems to cache information about certificates which got used, at least until you restart the browser. If you've added an exception because you are using your own (maybe untrusted) CA then it might even have the information in the CA store.

What security risk would be entailed if my browser just ignored the duplicate serial number?

Revocation information about a certificate issued by a specific CA are checked by serial number only in CRL and OCSP. Thus reusing the same serial number would mean that the same revocation information get applied.