On 16-08-17 15:24, Tom Browder wrote: [...] > I plan to tidy my automation before the issue of new certs, but I wonder > how critical it is to ensure unique certificate serial numbers given > that the certs are only used for us. I'm not even sure I'll ever revoke > any cert (they were issued to expire sometime in 2030). You should revoke certificates when their private keys are compromised; e.g., when the machine on which they were stored is stolen, lost, or broken into by a remote attacker based on password guessing, user error, social engineering, or something of the sorts. You aren't sure that any of that will happen now, but usually people who are compromised never expected that. Don't assume that just because they are password-protected that they are safe; passwords will delay the attacker, but not stop them. To accomodate for that, you should generate the CRLs for your certificates now, even if they're empty, and make sure that the software you've configured to use your private CA are set up check the CRLs. That way, when you become aware of a compromised private key of one of the certificates, you don't need to hurry to reconfigure all those services, but can simply revoke the certificate and possibly force critical applications to reread the CRL (e.g., by restarting the service), thereby turning a possibly full-day panicked "help I was compromised" into a five-minute "certificate revoked, done" session. > So, in summary, do I need to ensure cert serial numbers are unique for > my CA? Since CRLs expect that your serial numbers are unique, yes, you do need to ensure that. -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
