[openssl-users] Certificate serialnumber?

Ben Humpert ben at an3k.de
Sun Jul 5 11:58:03 UTC 2015


Take a look in your openssl.cnf and you should see the option "serial"
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.

Rich Salz recommended me this SSL Cookbook
https://www.feistyduck.com/books/openssl-cookbook/ by Ivan Ristić and
based on that you should initiate the database and serial files before
you create certificates to avoid problems that can occour after month
/ years.

I use

cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out ./ca/reqs
chmod 700 ./ca/private
cp /dev/null ./ca/db/an3kRootCA.db
cp /dev/null ./ca/db/an3kRootCA.db.attr
openssl rand -hex 16  > ./ca/db/an3kRootCA.crt.srl
echo 1001 > ./ca/db/an3kRootCA.crl.srl
cd /etc/ssl/ca/

to create the whole environment and initiate the database and serial
files. This is based on the SSL Cookbook information. If you want to
read it for yourself please open
https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
begin with paragraph "Creating a Private Certification Authority"
(F3).

2015-07-05 12:48 GMT+02:00 Walter H. <Walter.H at mathemainzel.info>:
> Hello,
>
> I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid) like
> this:
>
> I havn't defined anything - everything is set default from the linux
> distribution
> openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump CA/C=/O=/OU=/'
> -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem -out ./squidCA.pem
>
> the question: where does the serial number for this certificate come from?
> is it random by default when nothing is said about it?
>
> would this be also an option when using openssl like this:
>
> openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate ...
> -enddate ... ....
>
> Thanks.
>
> --
> Best regards,
> Ing. Walter Höhlhubmer
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


More information about the openssl-users mailing list