opensslca

In what circumstances would you set `unique_subject` to yes for an openssl ca?


By default unique_subject is set to yes, which prevents you from signing multiple certificates with the same distinguished name. Attempting to sign such a certificate will result in the following error message.

failed to update database
TXT_DB error number 2

There is however a clear use case for allowing duplicate dn, namely to issue certificates for relying parties with an extended expiration date. For instance the certificate of a website that needs to be refreshed after a couple of months (a similar argument has been made in [1]). Without changing the settings you can only issue a new certificate with the same dn if you revoke the existing certificate. But you may want to give the owner of the website a grace period in which both certificates are valid. The only other option I have come across is to change something in the dn (such as the OU) that is less relevant to the certificate [2].

The openssl documentation [3] has an entry for unique_subject in which they suggest that the default is chosen in order to be compatible with older versions. The page also mentions that this value should be set to no in order to make ca rollover easier. This suggest to me that a value of no is perfectly fine, and perhaps should be the default.

Many references can be found to this property, and often it is suggested that this value should be set to no (in both openssl.cnf and index.txt.attr files) [1, 2, 3, 4, many more]. I only found one place where someone suggested to leave it at yes or at least did not care enough about its actual value [5]. But, in that thread, just a blanked statement was given:

For the use case of a VPN, as EasyRSA was originally intended, the current setting is
best.

Is it? Why?

I understand what the option does and how to use it. What I cannot find is a rational for the earlier default of yes.

Is there some security concern that openssl ca tried to address with this default value?
What are the risks of issuing two certificates with the same dn?
Are there some practices that should be followed when setting unique_subject=no?
Are there valid reasons for leaving the value at its default setting?

In short are there arguments in favour of preventing multiple valid certificates with the same dn?

[1] https://github.com/OpenVPN/easy-rsa/issues/40#issuecomment-56191531
[2] https://serverfault.com/a/810608 (answer on on https://serverfault.com/questions/810557/how-do-i-issue-multiple-certificates-for-the-same-common-name)
[3] https://www.openssl.org/docs/man1.1.1/man1/openssl-ca.html
[4] How do you sign a Certificate Signing Request with your Certification Authority?
[5] https://github.com/OpenVPN/easy-rsa/issues/40#issuecomment-150035723


Solution

  • I think you already got your answer in the OpenSSL man pages [3]:

    The default value is yes, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value no, especially if combined with the -selfsign command line option.

    It is also proposed to make the default "yes" or even remove it completely (make it always "yes"). This is currently scheduled for "Post 3.0.0": https://github.com/openssl/openssl/issues/5451

    Richard Levitte who proposed to remove it is the same guy who introduced it back in 2004: https://www.openssl.org/news/cl111.txt (Changes between 0.9.7c and 0.9.7d [17 Mar 2004])

    Since it is recommended even by OpenSSL to set unique_subject to "no" there are most definitely no security implications. One can only speculate why the default was "yes". Probably in the early days there was not so much thinking about rolling certificates and live revocation lists.