[openssl-users] Personal CA: are cert serial numbers critical?

Robert Moskowitz rgm at htt-consult.com
Wed Aug 16 21:06:33 UTC 2017



On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote:
>> There’s no such requirement. It MUST be at most 20 octets long.
>      >
>      >> - Serial numbers contain cryptographically strong random bits, currently at
>      >> least 64 random bits, though it is best if the entire serial number looks
>      >> random from the outside.  This is not implemented by the openssl ca program.
>
> Edit apps/apps.h to change SERIAL_RAND_BITS and use the –create_serial flag.
>
> I’ll be making a patch to do this more easily for master.

So we will have to wait for the next release or build our own...

Will there be some option to control the behavior?

>
>> Use of the commonName attribute has been deprecated long ago.
>      
>   >   Where is this documented?
>     
> RFC 2818 in 2000.  See aslo  https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo

No wonder I missed it.  My attention was off PKIX then as I was focused 
on HIP...

Bob



More information about the openssl-users mailing list