Make -CAcreateserial start from 1 instead of 0 for

serial numbers.

CHANGES

@@ -4,6 +4,13 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
+     for the first serial number and places 2 in the serial number file. This
+     avoids problems when the root CA is created with serial number zero and
+     the first user certificate has the same issuer name and serial number
+     as the root CA.
+     [Steve Henson]
+
   *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
      the new code. Add documentation for this stuff.
      [Steve Henson]

apps/x509.c

@@ -943,8 +943,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 			}
 		else
 			{
-			ASN1_INTEGER_set(bs,0);
-			BN_zero(serial);
+			ASN1_INTEGER_set(bs,1);
+			BN_one(serial);
 			}
 		}
 	else 

doc/apps/x509.pod

@@ -311,8 +311,9 @@ The default filename consists of the CA certificate file base name with
 =item B<-CAcreateserial filename>
 
 with this option the CA serial number file is created if it does not exist:
-it will contain the serial number "01". Normally if the B<-CA> option is
-specified and the serial number file does not exist it is an error.
+it will contain the serial number "02" and the certificate being signed will
+have the 1 as its serial number. Normally if the B<-CA> option is specified
+and the serial number file does not exist it is an error.
 
 =item B<-extfile filename>