Re: Can create a cert with no serial number?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, May 31, 2023 at 09:21:07PM -0400, Robert Moskowitz wrote:

> openssl rand -hex 1 > $dir/serial

Don't do that.  You'll quickly create collisions.
Initialise the serial number to 1 more than the
serial number of the issuing CA, and let it be
auto-maintained thereafter.

This assumes a sound digest algorithm is used, otherwise predictable
serial numbers make it easier to mount collision attacks on the CA.
Are you sure you actually need to squeeze out every last byte?

Premature optimisation ...

-- 
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux