[openssl-users] Using set_serial to control serial number size directly
rgm at htt-consult.com
Mon Aug 21 13:06:43 UTC 2017
I have worked out that:
openssl req -config openssl-root.cnf -set_serial 0x$(openssl rand -hex
19) -key private/ca.key.pem\
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
allows you to override the serial number select process and thus control
what size serial number you use.
This also works for openssl ca for signing a csr, so you don't have to
deal with the serial file.
You can further parameterize this with:
-set_serial 0x$(openssl rand -hex $sn)
when sn=some number 8 to 19.
But in doing this, I can't figure out if there is a risk on serial
number size for a root CA cert as there is for any other cert. The
nature of the attack, just to me, does not seem to apply to a root CA
cert. So that a serial number size of 8 octets is just fine for the
Please correct me if I don't have the risk properly understood.
More information about the openssl-users