Using set_serial to control serial number size directly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have worked out that:

openssl req -config openssl-root.cnf -set_serial 0x$(openssl rand -hex 19) -key private/ca.key.pem\
      -subj "$DN"\
-new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem


allows you to override the serial number select process and thus control what size serial number you use.

This also works for openssl ca for signing a csr, so you don't have to deal with the serial file.

You can further parameterize this with:

-set_serial 0x$(openssl rand -hex $sn)

when sn=some number 8 to 19.

But in doing this, I can't figure out if there is a risk on serial number size for a root CA cert as there is for any other cert. The nature of the attack, just to me, does not seem to apply to a root CA cert. So that a serial number size of 8 octets is just fine for the root cert.

Please correct me if I don't have the risk properly understood.

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux