[openssl-users] Using set_serial to control serial number size directly

Salz, Rich rsalz at akamai.com
Mon Aug 21 13:36:40 UTC 2017

➢ Thus how large does this random number have 

It’s also to protect against predicting serial numbers and being able to leverage that.  It’s not just (nor really mainly) the MD5 digest attacks.  According to CABForum, you need 8 octets.  No reason not to use more if you can.

➢ page was talking about in conjunction with the -CA option. With 'openssl 
    ca' use of the serial file is mandatory according to the man page.  
    There are no command line options for it.

Fixed in master and will be part of the next releases; the –rand_serial flag.    

More information about the openssl-users mailing list