[openssl-users] Using set_serial to control serial number size directly

Robert Moskowitz rgm at htt-consult.com
Mon Aug 21 13:06:43 UTC 2017


I have worked out that:

openssl req -config openssl-root.cnf -set_serial 0x$(openssl rand -hex 
19) -key private/ca.key.pem\
       -subj "$DN"\
       -new -x509 -days 7300 -sha256 -extensions v3_ca -out 
certs/ca.cert.pem


allows you to override the serial number select process and thus control 
what size serial number you use.

This also works for openssl ca for signing a csr, so you don't have to 
deal with the serial file.

You can further parameterize this with:

-set_serial 0x$(openssl rand -hex $sn)

when sn=some number 8 to 19.

But in doing this, I can't figure out if there is a risk on serial 
number size for a root CA cert as there is for any other cert.  The 
nature of the attack, just to me, does not seem to apply to a root CA 
cert.  So that a serial number size of 8 octets is just fine for the 
root cert.

Please correct me if I don't have the risk properly understood.

thanks

Bob



More information about the openssl-users mailing list