[openssl-users] More on cert serialnumbers
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 17 14:40:47 UTC 2017
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the default in
the openssl ca program.
- Serial numbers contain cryptographically strong random bits, currently at
least 64 random bits, though it is best if the entire serial number looks
random from the outside. This is not implemented by the openssl ca
program."
And this is supposedly from the CA/B BF?
Though Erwann responded:
"There’s no such requirement. It MUST be at most 20 octets long"
I see how for all certs other than the root (get to that later), I can
control this with:
openssl rand -hex 20 > serial
then use 'openssl ca ...'
But from Kyle's comment, the first bit must be ZERO.
"I tend not to re-use keys, so I've found that putting 20 bytes (while
clearing the high bit) of a digest of the SubjectPublicKeyInfo as the
serial number works in that circumstance. [if you leave the high bit
set, then DER mandates that it be encoded with a leading 0x00 byte,
which makes it 21 bytes... which can cause problems with things built
for PKIX.]"
Will that be the case with the above 'openssl rand', or is there some
other step needed to zero out the first bit.
And is the openssl rand function 'safe' to use? Is it cryptographically
strong?
As for the root cert created with 'openssl req ... -new -x509', it seems
that a random 8 octet serial number is provided. Is there a way to
boost that to 20 octects? Does it matter per Erwann's comment above?
Actually, I am trying to keep certs small, and the CAs I picture are not
for millions of certs Smaller serial number size would be the preferred
situation...
thanks
Bob
More information about the openssl-users
mailing list