On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes. Which means, you want to make sure the high bit is off, else the DER encoding will make it 21 bytes.
So the new –rand_serial flag I am adding to the CA command will make call RAND_bytes to get 18 bytes.
On 8/17/17, 10:45 AM, "Salz, Rich via openssl-users" <openssl-users@xxxxxxxxxxx> wrote:
https://cabforum.org/2016/07/08/ballot-164/
“Effective September 30, 2016, CAs SHALL generate Certificate serial
numbers greater than zero (0) containing at least 64 bits of output from
a CSPRNG.”
What does "64 bits of output from a CSPRNG" mean here? A 4 octet serial
number is OK? Or 2^64 bit serial number represented in HEX (how long is
that?)
For now I will use:
openssl rand -hex 18 > serial
My reading on 'openssl rand' SEEMS to indicate it is cryptographically
strong (provided you have entropy. See: cat
/proc/sys/kernel/random/entropy_avail
For constrained IoT, I would like to use the smallest possible. Thus the
clarifying the 64bit question above.
thanks
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
