How do I issue multiple certificates for the same Common Name?

Question

I am creating a Certificate Authority for an intranet.

I have generated a root and intermediate CA and successfully signed a server certificate using the intermediate CA. The server certificate has CN=mysite.com.

In the future this server certificate will expire and I will need to issue a new one. However, if I create another CSR with the same CN=mysite.com then when I sign it I get

failed to update database
TXT_DB error number 2

This error goes away if I create a new CSR with a different CN, but the CNs have to be the same or the browser won't say it's valid, right?

How do I fix this?

EDIT: I'm following this guide -- everything's fine up until the end of the linked page, but when I try to repeat the steps on this page to create a second certificate, openssl demands that I give the new certificate a different CN.

SUBJ="/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=$CN"

# Generate CSR
echo "$PW" | openssl req \
    -config "$CAROOT/intermediate/openssl.cnf" \
    -new -sha256 -subj "$SUBJ" -passin stdin \
    -key "$PRIV_ENC" -out "$CSR_INT" >/dev/null 2>&1 ||
{
    >&2 echo "Could not openssl req";
    exit 1;
}

# Sign CSR
openssl ca \
    -config "$CAROOT/intermediate/openssl.cnf" \
    -batch -extensions server_cert \
    -days "$HTTP_DAYS" -notext -md sha256 \
    -in "$CSR_INT" -out "$CRT_INT" ||
{
    >&2 echo "Could not openssl ca";
    exit 1;
}

It's the openssl ca which fails.

Answer 1

If you want to create multiple certificates with the same subject, you can change your configuration like that:

You can change in the CA section (probably [CA_default]) in your openssl.cnf the setting

unique_subject = no

But this setting is also saved in file index.txt.attr, you have to change this, too. Otherwise it will not work.

Answer 2

Do you need dupes? Traditionally browsers and clients required that the CommonName field of the Subject name match the hostname; modern ones prefer that an entry in the SubjectAlternativeName (SAN) extension do so. You can set other fields to differ e.g.

O=Floo Manufacturing, OU=floo server 2016, CN=www.floo.example.com
O=Floo Manufacturing, OU=floo server 2017, CN=www.floo.example.com

and the Subject DNs are unique even though CommonName by itself is not. Or with modern clients you could put www.floo.example.com in SAN and use unique Subjects with no CommonName at all. But getting openssl to do per-cert SAN is a bit inconvenient; see e.g. https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san

To allow dupes: the official way

In your config file (which is $CAROOT/intermediate/openssl.cnf) go to the 'section' (delimited by lines of the form [somename] with optional whitespace) for your CA. Since you didn't use -name on the commandline the section name is the value of default_ca in the [ca] section or the default section (at the top before the first [somename] line); looking near your link it's probably [CA_default]. Add a line

 unique_subject=no

with spacing and following # comment optional. Or if you already have a line for this item change and/or uncomment it, but looking near your link you probably don't.

See man page ca(1ssl) on your system or the web under CONFIGURATION FILE OPTIONS.

To allow dupes: the unofficial way

Empty (truncate) the configured database file which is conventionally index.txt and looking near your link they apparently use that. Or edit that file and delete the line(s) for the subject(s) you want to re-use -- but in this situation it looks like you have only one or a few and you want to re-use it or all of them, so emptying the file is simpler.