By default unique_subject
is set to yes
, which prevents you from signing multiple
certificates with the same distinguished name. Attempting to sign such a certificate will
result in the following error message.
failed to update database
TXT_DB error number 2
There is however a clear use case for allowing duplicate dn, namely to issue certificates for relying parties with an extended expiration date. For instance the certificate of a website that needs to be refreshed after a couple of months (a similar argument has been made in [1]). Without changing the settings you can only issue a new certificate with the same dn if you revoke the existing certificate. But you may want to give the owner of the website a grace period in which both certificates are valid. The only other option I have come across is to change something in the dn (such as the OU) that is less relevant to the certificate [2].
The openssl documentation [3] has an entry for unique_subject
in which they suggest that
the default is chosen in order to be compatible with older versions. The page also
mentions that this value should be set to no
in order to make ca rollover easier. This
suggest to me that a value of no
is perfectly fine, and perhaps should be the default.
Many references can be found to this property, and often it is suggested that this value
should be set to no
(in both openssl.cnf and index.txt.attr files) [1, 2, 3, 4, many
more]. I only found one place where someone suggested to leave it at yes
or at least did
not care enough about its actual value [5]. But, in that thread, just a blanked statement
was given:
For the use case of a VPN, as EasyRSA was originally intended, the current setting is
best.
Is it? Why?
I understand what the option does and how to use it. What I cannot find is a rational for
the earlier default of yes
.
Is there some security concern that openssl ca tried to address with this default value?
What are the risks of issuing two certificates with the same dn?
Are there some practices that should be followed when setting unique_subject=no
?
Are there valid reasons for leaving the value at its default setting?
In short are there arguments in favour of preventing multiple valid certificates with the same dn?
[1] https://github.com/OpenVPN/easy-rsa/issues/40#issuecomment-56191531
[2] https://serverfault.com/a/810608 (answer on on https://serverfault.com/questions/810557/how-do-i-issue-multiple-certificates-for-the-same-common-name)
[3] https://www.openssl.org/docs/man1.1.1/man1/openssl-ca.html
[4] How do you sign a Certificate Signing Request with your Certification Authority?
[5] https://github.com/OpenVPN/easy-rsa/issues/40#issuecomment-150035723
I think you already got your answer in the OpenSSL man pages [3]:
The default value is yes, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value no, especially if combined with the -selfsign command line option.
It is also proposed to make the default "yes" or even remove it completely (make it always "yes"). This is currently scheduled for "Post 3.0.0": https://github.com/openssl/openssl/issues/5451
Richard Levitte who proposed to remove it is the same guy who introduced it back in 2004: https://www.openssl.org/news/cl111.txt (Changes between 0.9.7c and 0.9.7d [17 Mar 2004])
Since it is recommended even by OpenSSL to set unique_subject
to "no" there are most definitely no security implications. One can only speculate why the default was "yes". Probably in the early days there was not so much thinking about rolling certificates and live revocation lists.