When having multiple Mac machines running Highpoint RocketRaid controllers and the HPT Web RAID Management software v1.68, results in having multiple copies of an identical self-signed /usr/share/hpt/hptsvr.pem ssl server certificate.
$ openssl x509 -text -in /usr/share/hpt/hptsvr.pem -issuer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Fremont, O=HighPoint Technologies, Inc., OU=HPT, CN=127.0.0.1, CN=localhost, CN=mac.local, CN=127.0.0.1
Validity
Not Before: Sep 5 17:38:59 2011 GMT
Not After : Sep 2 17:38:59 2021 GMT
Subject: C=US, ST=California, L=Fremont, O=HighPoint Technologies, Inc., OU=HPT, CN=127.0.0.1, CN=localhost, CN=mac.local, CN=127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:bc:cf:96:35:88:80:5c:06:df:bb:c6:13:5e:36:
e4:a6:73:76:fa:83:e1:31:4f:65:53:bb:67:d6:39:
89:82:a5:1e:fe:db:07:9e:71:8c:19:80:f4:9d:67:
9f:9a:2f:2e:ab:e8:32:72:47:81:6a:20:56:7a:d4:
60:e0:f6:29:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
Netscape Comment:
HighPoint Technologies, Inc.
Netscape SSL Server Name:
mac.local
Netscape SSL Server Name:
127.0.0.1
Netscape SSL Server Name:
127.0.0.1
Netscape SSL Server Name:
localhost
Signature Algorithm: md5WithRSAEncryption
35:20:88:6a:71:81:7d:fe:8c:09:bb:56:9c:66:42:ce:fd:e2:
9a:d0:3d:fb:e6:a3:0f:63:ae:1f:99:5d:ea:29:95:cb:95:f3:
6a:15:86:33:a8:33:93:da:18:76:e9:ed:d3:18:cc:3b:d9:72:
06:cc:dd:b0:b7:f1:a4:2e:ac:ca
issuer= /C=US/ST=California/L=Fremont/O=HighPoint Technologies, Inc./OU=HPT/CN=127.0.0.1/CN=localhost/CN=mac.local/CN=127.0.0.1
The result is that newer versions of Firefox – like v30 – are only able to open the first instance of such a self signed certificate, and access to each other copy – running on a different hostname – is blocked with this message: sec_error_reused_issuer_and_serial.
The Apple Certificate Assistant located at /System/Library/CoreServices/Certificate Assistant.app fails to create a correct certificate for the Highpoint SSL web server.
My first try is to use the Apple "Certificate Assistant" application. However its generated self signed certificate doesn't work (no https connection within 30 seconds). When comparing the Highpoint cert versus Apple generated cert, the differences are "Signature Algorithm: sha256WithRSAEncryption" and "X509v3 Subject Alternative Name" (Apple), versus "Signature Algorithm: md5WithRSAEncryption" (Highpoint) and deprecated Netscape extensions like "Netscape Cert Type: SSL Server", "Netscape Comment: HighPoint Technologies, Inc." and two times the "Netscape SSL Server Name: 127.0.0.1" and "Netscape SSL Server Name: localhost" and "Netscape SSL Server Name: mac.local" (Highpoint).
How to create a unique self-signed certificate replacing Highpoint's default .pem on Mac OS X 10.7 (Lion) preferably on the command line?
Best Answer
When having created overlapping or re-use hostnames/ip addresses, resulting in the
sec_error_reused_issuer_and_serialerror, delete the built-in certificate using terminal:And restart the
raidman-httpsddaemon using this command:A new
.pemfile based on a matching hostname and ip address will be created on the first https request.