[xmlsec] Problem with some cert which has a negative serial number

Andrew Fan Xuelei.Fan at Sun.COM
Mon Feb 21 21:44:08 PST 2005

Hi All,

I get negative serial number from openssl like:

$openssl genrsa -des3 -out ca.key 1024
$openssl req -new -key ca.key -config aconfig.conf -out ca.csr
$openssl x509 -req -days 60 -set_serial -0001 -in ca.csr -signkey ca.key 
-outform DER -out ca.cert

Hope that helps,

Chandler Peng wrote:

> Aleksey ,
> Aleksey Sanin wrote:
>> I think I have a patch that should fix the problem with negative
>> serial numbers (see attached). I would appreciate if you can try
>> it to make sure that it works for you.
>> Also if you have an example with certificate having negative
>> serial number, I would appreciate if you can share it so I
>> can create a test case.
> you can get such cert using the tool in SelfCert.zip , see Attachment. 
> This tool is derived from MS (version11.0.5510.0)
>> I failed to get a negative serial
>> number from openssl :)
> I can get the negative serial number only from this tool.
>> Thanks,
>> Aleksey

More information about the xmlsec mailing list