Creating and managing PKI certificates is always tricky. A small list of what went wrong today when following my own guide for importing your own Oracle Enterprise Manager certificate:
- The application (in this case, Oracle Enterprise Manager) actually checked the DN (Distinguished Name) of the certificate and rejected it.
- The CA certificate I used had only a 1024-bit key (that should be 2048 these days); hence it was not accepted by the browser.
- The new CA was created with a 2048-bit key, but still issues 1024-bit key certificates (that should have been 2048 too); so it was still not accepted by the browser.
- The certificates this CA issued used MD5 as its digest algorithm (should be SHA1); so the browser did still not accept the certificate.
- The browser throws a sec_error_reused_issuer_and_serial. This one is actually a bit more subtle. I had recreated the CA with the same name (DN) as the old one; serial number began in both cases with 1. Now I had a certificate with the same number as an old certificate, issued by the old CA; this old certificate was stored as exception.
Well, after solving all this, the browser (firefox) is actually accepting the certificate without complaining. Nice.