OpenSSL "ca" Error "failed to update database TXT_DB error number 2"


Why I am getting the "failed to update database TXT_DB error number 2" error when running OpenSSL "ca" command?



If you are using the OpenSSL "ca" command to sign a CSR that has the same DN (Distinguished Name) fields as an old CSR you have signed before, you will get the "failed to update database TXT_DB error number 2" error as shown below:


OpenSSL> req -in rsa_test.csr -subject -noout
subject= /C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/

OpenSSL> x509 -in demoCA\newcerts\1001.pem -subject -noout
subject= /C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/

OpenSSL> ca -in rsa_test.csr -keyfile my_ca.key -cert my_ca.crt 
   -policy policy_anything -out test.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
            Not Before: Jul 31 23:56:11 2016 GMT
            Not After : Jul 31 23:56:11 2017 GMT
            countryName               = us
            stateOrProvinceName       = NY
            localityName              = New York
            organizationName          = Donald Inc.
            organizationalUnitName    = IT
            commonName                =
            emailAddress              =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Jul 31 23:56:11 2017 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
error in ca

The output of "req" and "x509" commands shows that the CSR, rsa_test.csr, has the same DN fields (the subject of the CSR) as an old certificate, .\demoCA\1001.pem, signed previously: "/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/".

The output of "ca" command shows the error "failed to update database TXT_DB error number 2". This is because OpenSSL "ca" wants to maintain certificate database with unique subject value (DN fields).

In other words, you can not sign the same CSR twice with the OpenSSL "ca" command.


OpenSSL "ca -revoke" - Revoke a Certificate

OpenSSL "ca" - Track CSR Signing History

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-13, 13384👍, 0💬