[openssl-users] Using set_serial to control serial number size directly

Robert Moskowitz rgm at htt-consult.com
Mon Aug 21 13:32:36 UTC 2017

On 08/21/2017 09:20 AM, Salz, Rich via openssl-users wrote:
>      But in doing this, I can't figure out if there is a risk on serial
>      number size for a root CA cert as there is for any other cert.
> I don’t understand what attack you are concerned about, but the size of the serial number should not matter for *any* certificate.
This whole subject is tied into the substitution attack found with using 
an MD5 hash where you could change some things in the cert and still 
have a valid cert.  The solution, besides dropping MD5, was to include a 
crypto random number in the beginning of the cert, and the serial was 
chosen for this sacrifice.  Thus how large does this random number have 
to be to defend against this attack?  is 8 octets enough or is 20 needed?

This is to make another valid cert with a different keypair.  OK, I get 
this for a cert signed by an issuer.  But the root issuer?  I don't see 
the attack.  Thus no need to push the root cert's serial to 20 octets.

I know I am a little cavalier in describing the attack, but that was the 
basic point of why to move away from sequential serials to random and 
what size (though there are other things about CAs that can be 
discovered by analyzing the sequential serial numbers they used).

Meanwhile, I was wrong that -set_serial works with 'openssl ca'. The man 
page was talking about in conjunction with the -CA option. With 'openssl 
ca' use of the serial file is mandatory according to the man page.  
There are no command line options for it.


More information about the openssl-users mailing list