[openssl-users] Certificate serialnumber?

David Thompson dthompson at cardconnect.com
Tue Jul 7 02:57:16 UTC 2015


> From: openssl-users On Behalf Of Salz, Rich
> Sent: Sunday, July 05, 2015 11:56
[in response to message about 'ca']
> > > the question: where does the serial number for this certificate come
> from?
> > > is it random by default when nothing is said about it?
>
> It will be random if (a) the serial file does not exist; and (b) you specify the -
> create_serial flag.  Otherwise it opens the file, reads the number (defaulting
> to zero if not exists) and increments it, updates the file, and uses that as the
> new serial number.
>
One point I didn't notice until you pointed me at:

FOR 'ca': If the serial file exists,the current value is read (ERROR if none or bad,
not zero), THAT value is used, and then the incremented value is written back.
If the file doesn't exist and you specify create, a random value is used, then
the incremented value written. If the file doesn't exist and you don't
specify create, error.

FOR 'x509' with -set_serial, that is used and serial file is ignored. Otherwise
same as above, except value is incremented BEFORE it us used-- and
the create option is spelled -CAcreateserial  instead of -create_serial.

In short, 'ca' is like N++ in C but 'x509' is like ++N . Yikes!


________________________________

THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.


More information about the openssl-users mailing list