HTTPS: Create self-signed certificate with unique serial

Hi @Zyxel_Jonas,

thank you for your reply.

This issue does NOT involve 2 switches, but it happened with several switches (all XGS2210-28 FW 4.50, upgraded from 4.40) for me during my tests and automatic (re)configuration. I could invest time to reproduce the issue, if that really helps, but I'd be glad if you tried it first following the following steps.

These are the steps to reproduce:

Prerequisites: Firefox 59.0.2 and a switch XGS2210-28, FW 4.50, let's say its MAC address is 11:22:33:44:55:66.

1. Boot the switch. On first boot it will generate a new self-signed certificate, I assume.
2. Access the switch via https using Firefox.
3. Firefox will ask you to add an exception for the self-signed cert issued for "XGS2210 112233445566".
3. In Firefox click the Padlock symbol next to the URL bar, then ">" button, then the "More information" button.
4. A new window will appear, click "View certificate".
5. A new window will appear, in the first tab you will see that the seriel number of the certificate is the switch's MAC address, so for this hypothetical device "11:22:33:44:55:66".
6. Perform a factory reset using the reset button -- I assume that other methods will work, too. During this process, the switch will generate a new certificate.
7. Perform steps 1 and 2 again. You will likely assert that you will not be able to access the switch as another certificate from the same CA with the same serial number is already known to Firefox.
8. Close Firefox, remove your Firefox profile's cert8.db, start Firefox again.
9. Perform steps 1 to 5 again. You will find out that the new certificate has the same serial as the one before, which is illegitimate and causes the problem described above.

I tested and reproduced this issue with the following browsers:
* Firefox 59.0.2 on Linux
* Firefox 52.7.3 ESR on Linux x86_64

Best regards,
// Veit