Dealing with reused Serial Numbers for CAs

“An error occurred during a connection to nuzleaf.home.younglogic.net. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.”

Many years ago I battled this problem and had different solutions. Today, I got one that worked for Firefox on Fedora 32.

My IPA server is for HOME.YOUNGLOGIC.NET

My backing store for my default profile in firefox is /home/ayoung/.mozilla/firefox/x4kktanr.default

To see the certificates I have in that store:

$ pwd
/home/ayoung/.mozilla/firefox/x4kktanr.default
$ certutil -L -d . | grep -i younglogic
adam.younglogic.com                                          ,,   
younglogic.com                                               ,,   
openshift.younglogic.info                                    ,,   
nuzleaf.home.younglogic.net                                  ,,   
Certificate Authority - HOME.YOUNGLOGIC.NET                  CT,C,

To delete that last one:

certutil  -d . -D -n "Certificate Authority - HOME.YOUNGLOGIC.NET

Then restart Firefox. It holds this in some other cache, perhaps memory, until a restart. Note that the file that backs the certificate database is: cert9.db. It is a SQLite database with a very unfriendly schema.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.