[openssl-users] Personal CA: are cert serial numbers critical?

Robert Moskowitz rgm at htt-consult.com
Wed Aug 16 21:15:53 UTC 2017

On 08/16/2017 05:01 PM, Salz, Rich via openssl-users wrote:
>> There’s no such requirement. It MUST be at most 20 octets long.
>      >
>      >> - Serial numbers contain cryptographically strong random bits, currently at
>      >> least 64 random bits, though it is best if the entire serial number looks
>      >> random from the outside.  This is not implemented by the openssl ca program.
> Edit apps/apps.h to change SERIAL_RAND_BITS and use the –create_serial flag.
> I’ll be making a patch to do this more easily for master.
>> Use of the commonName attribute has been deprecated long ago.
>   >   Where is this documented?
> RFC 2818 in 2000.  See aslo  https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo

OK.  NOW I remember those debates in the PKIX sessions...

Boy is THIS rattling some old brain cells!

More information about the openssl-users mailing list