> From: openssl-users On Behalf Of Walter H. > Sent: Sunday, July 05, 2015 06:49 <snip: CentOS default> > openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump > CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem > -out ./squidCA.pem > > the question: where does the serial number for this certificate come from? > is it random by default when nothing is said about it? > Quoting the man page for req(1) -- although depending on the packaging which I don't know for CentOS it may be a different section like 1s or 1ssl -- and also on the web https://www.openssl.org/docs/apps/req.html -x509 this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number. > would this be also an option when using openssl like this: > > openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate > ... -enddate ... .... > 'ca' always uses the value currently in a 'serial' file configured in the configuration file, and increments it, thus using sequential numbers when you issue more than one cert. 'ca' also records issued certs in a 'database' file usually named index.txt (a VERY SIMPLE db, just a file with text lines and columns) which makes sequential numbers convenient. If you want nonsequential numbers you can edit the serial file before each or any execution of 'ca'. This is mostly described on the man page for ca(1ssl), although on checking I see it isn't actually stated that serial values are incremented; you're supposed to infer that from the usual meaning of the word, although the X.509 meaning has diverged. OpenSSL's other, simpler but less capable way to issue a child cert is 'openssl x509' with '-req' and '-CA', plus '-CAkey' unless the key is in the (CA)cert file, and other options as needed. In this method you may specify '-set_serial' as an option; else it uses the serial-file method like 'ca' except the filename may be an option or defaults to the (CA)cert file name with .pem or other suffix changed to .srl. And 'x509 -req -CA' does NOT record the index.txt 'database'. Now, where do you think documentation of 'x509' might be? ________________________________ THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.