[openssl-users] Certificate serialnumber?

David Thompson dthompson at cardconnect.com
Sun Jul 5 12:19:46 UTC 2015

> From: openssl-users On Behalf Of Walter H.
> Sent: Sunday, July 05, 2015 06:49

<snip: CentOS default>
> openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump
> CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem
> -out ./squidCA.pem
> the question: where does the serial number for this certificate come from?
> is it random by default when nothing is said about it?
Quoting the man page for req(1) -- although depending on the packaging
which I don't know for CentOS it may be a different section like 1s or 1ssl --
and also on the web https://www.openssl.org/docs/apps/req.html

    this option outputs a self signed certificate instead of a certificate request.
This is typically used to generate a test certificate or a self signed root CA.
The extensions added to the certificate (if any) are specified in the
configuration file. Unless specified using the set_serial option,
a large random number will be used for the serial number.

> would this be also an option when using openssl like this:
> openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate
> ...  -enddate ... ....
'ca' always uses the value currently in a 'serial' file configured in the
configuration file, and increments it, thus using sequential numbers
when you issue more than one cert. 'ca' also records issued certs
in a 'database' file usually named index.txt (a VERY SIMPLE db,
just a file with text lines and columns) which makes sequential
numbers convenient. If you want nonsequential numbers
you can edit the serial file before each or any execution of 'ca'.
This is mostly described on the man page for ca(1ssl), although
on checking I see it isn't actually stated that serial values are
incremented; you're supposed to infer that from the usual
meaning of the word, although the X.509 meaning has diverged.

OpenSSL's other, simpler but less capable way to issue a child
cert is 'openssl x509' with '-req' and '-CA', plus '-CAkey' unless
the key is in the (CA)cert file, and other options as needed.
In this method you may specify '-set_serial' as an option;
else it uses the serial-file method like 'ca' except the filename
may be an option or defaults to the (CA)cert file name with
.pem or other suffix changed to .srl. And 'x509 -req -CA' does
NOT record the index.txt 'database'. Now, where do you think
documentation of 'x509' might be?


THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.

More information about the openssl-users mailing list