[openssl-users] Certificate serialnumber?

Ben Humpert ben at an3k.de
Sun Jul 5 11:58:03 UTC 2015

Take a look in your openssl.cnf and you should see the option "serial"
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate is created then 01 is used as a serial for it.

Rich Salz recommended me this SSL Cookbook
https://www.feistyduck.com/books/openssl-cookbook/ by Ivan Ristić and
based on that you should initiate the database and serial files before
you create certificates to avoid problems that can occour after month
/ years.

I use

cd /etc/ssl/
mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out ./ca/reqs
chmod 700 ./ca/private
cp /dev/null ./ca/db/an3kRootCA.db
cp /dev/null ./ca/db/an3kRootCA.db.attr
openssl rand -hex 16  > ./ca/db/an3kRootCA.crt.srl
echo 1001 > ./ca/db/an3kRootCA.crl.srl
cd /etc/ssl/ca/

to create the whole environment and initiate the database and serial
files. This is based on the SSL Cookbook information. If you want to
read it for yourself please open
begin with paragraph "Creating a Private Certification Authority"

2015-07-05 12:48 GMT+02:00 Walter H. <Walter.H at mathemainzel.info>:
> Hello,
> I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid) like
> this:
> I havn't defined anything - everything is set default from the linux
> distribution
> openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump CA/C=/O=/OU=/'
> -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem -out ./squidCA.pem
> the question: where does the serial number for this certificate come from?
> is it random by default when nothing is said about it?
> would this be also an option when using openssl like this:
> openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate ...
> -enddate ... ....
> Thanks.
> --
> Best regards,
> Ing. Walter Höhlhubmer
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list