Jorey Bump wrote:
There is one caveat: the number of characters must be even:
unable to load number from /etc/ssl/CA/serial
error while loading serial number
3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number
of chars:f_int.c:162:
Therefore, I needed to modify my command:
# example: 2005071711520001 (16 char, must be even # of chars)
echo $(date +%Y%m%d%H%M)0001 > serial
And RFC 3280 has this to say:
4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.
Given the uniqueness requirements above, serial numbers can be
expected to contain long integers. Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conformant CAs MUST NOT
use serialNumber values longer than 20 octets.
Note: Non-conforming CAs may issue certificates with serial numbers
that are negative, or zero. Certificate users SHOULD be prepared to
gracefully handle such certificates.
I guess this limits serial numbers to 20 numeric characters, and I
assume this includes leading zeroes, unless the asn1 encoding routine
strips them. Unfortunately, this limits the life of my CA to
99,997,994,928,288,479,998 signed certficates, using the example I've
given above. ;)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
