<html><head><title>Re: [openssl-users] Personal CA: are cert serial numbers critical?</title>
</head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">Replying personally:<br>
<br>
I'm a nobody, and you have no reason to know me - but wanted to thank you for the input you give here.<br>
<br>
You're nearly always quite thoughtful, careful in what you say, respectful, and give such [IMO] good insightful feedback and information to people looking for help. I follow quite a number of lists, and IMO, it's a rare breed of individuals who do such a fine job.<br>
<br>
Perhaps you care nothing for such accolades, and I'm truly a "nobody" in giving them - but still I wanted to recognize excellence when I see it.<br>
<br>
So, Thanks!<br>
<br>
-Greg<br>
<br>
<span style=" color: #800000;"><b>JB> On 16/08/2017 16:32, Tom Browder wrote:<br>
>> On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users <br>
>> <</b></span></span><a style=" font-family:'courier new'; font-size: 9pt;" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><span style=" font-family:'courier new'; font-size: 9pt; color: #800000;"><b> <</b></span><a style=" font-family:'courier new'; font-size: 9pt;" href="mailto:openssl-users@openssl.org">mailto:openssl-users@openssl.org</a><span style=" font-family:'courier new'; font-size: 9pt; color: #800000;"><b>>> wrote:<br>
<br>
>> ➢ So, in summary, do I need to ensure cert serial numbers are<br>
>> unique for my CA?<br>
<br>
>> Why would you not? The specifications require it, but those<br>
>> specifications are for interoperability. If nobody is ever going<br>
>> to see your certs, then who cares what’s in them?<br>
<br>
<br>
>> Well, I do like to abide by specs, and they will be used in various <br>
>> browsers, so I think I will continue the unique serial numbering.<br>
<br>
>> Thanks, Rich.<br>
<br>
JB> Modern browsers increasingly presume that such private CAs behave exactly<br>
JB> like the public CAs regulated through the CA/Browsers Forum (CAB/F) and<br>
JB> the per-browser root CA inclusion programs (the administrative processes<br>
JB> that determine which CAs are listed in browsers by default).<br>
<br>
JB> Among the relevant requirements now needed:<br>
<br>
JB> - Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as <br>
JB> standalone<br>
JB> numbers and as DER-encoded numbers. Note that this is not the default in<br>
JB> the openssl ca program.<br>
<br>
JB> - Serial numbers contain cryptographically strong random bits, currently at<br>
JB> least 64 random bits, though it is best if the entire serial number looks<br>
JB> random from the outside. This is not implemented by the openssl ca <br>
JB> program.<br>
<br>
JB> - Certificates are valid for at most 2 years (actually 825 days).<br>
<br>
JB> - SHA-1 (and other weak algorithms such as MD5) are no longer permitted and<br>
JB> is already disappearing from Browser code.<br>
<br>
JB> - RSA shorter than 2048 bits (and other weak settings such as equally short<br>
JB> DSA keys) are no longer permitted and is already disappearing from <br>
JB> Browser<br>
JB> code.<br>
<br>
JB> - If the certificate is issued to an e-mail address, that e-mail address<br>
JB> must<br>
JB> also be listed as an rfc822Name in a "Subject Alternative Name" <br>
JB> certificate<br>
JB> extension.<br>
<br>
JB> - End user certificates must be issued from an Intermediary CA whose<br>
JB> certificate is is in turn issued from a longer term root CA.<br>
<br>
JB> - If revocation is implemented (it should be, just in case someone gets<br>
JB> their<br>
JB> computer or other key storage hacked/stolen), it needs to support <br>
JB> OCSP, but<br>
JB> should ideally do so without having the actual CA keys online <br>
JB> (standard trick:<br>
JB> Issue 3-month non-revocable OCSP-signing certificates and provide the<br>
JB> corresponding private key to the server running the OCSP responder <br>
JB> program).<br>
JB> I would recommend to also implement traditional CRLs, since for <br>
JB> smaller CAs<br>
JB> it is a better solution for browsers and servers that support it.<br>
<br>
<br>
JB> Enjoy<br>
<br>
JB> Jakob<br>
JB> -- <br>
JB> Jakob Bohm, CIO, Partner, WiseMo A/S. </b></span><a style=" font-family:'courier new'; font-size: 9pt;" href="https://www.wisemo.com">https://www.wisemo.com</a><br>
<span style=" font-family:'courier new'; font-size: 9pt; color: #800000;"><b>JB> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10<br>
JB> This public discussion message is non-binding and may contain errors.<br>
JB> WiseMo - Remote Service Management for PCs, Phones and Embedded<br>
<br>
<br>
</b><span style=" font-family:'arial'; font-size: 8pt; color: #c0c0c0;"><i>-- <br>
Gregory Sloop, Principal: Sloop Network & Computer Consulting<br>
Voice: 503.251.0452 x82<br>
EMail: </i></span></span><a style=" font-family:'arial';" href="mailto:gregs@sloop.net">gregs@sloop.net</a><br>
<a style=" font-family:'arial';" href="http://www.sloop.net">http://www.sloop.net</a><br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>---</body></html>