On 8/17/2017 09:40, Robert Moskowitz
wrote:
I
have been researching serial number in cert based on Jakob's
comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the
default in
the openssl ca program.
- Serial numbers contain cryptographically strong random bits,
currently at
least 64 random bits, though it is best if the entire serial
number looks
random from the outside. This is not implemented by the openssl
ca program."
And this is supposedly from the CA/B BF?
Though Erwann responded:
"There’s no such requirement. It MUST be at most 20 octets long"
I see how for all certs other than the root (get to that later), I
can control this with:
openssl rand -hex 20 > serial
then use 'openssl ca ...'
But from Kyle's comment, the first bit must be ZERO.
So since the 20 octets is a maximum and not a requirement use -hex
19 instead, and if this results in DER placing a leading 0x00 byte
you're still ok. This also complies with the ballot that Rich
mentioned since you have more entropy than required.
At least I think that meets the requirements....
|
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
