On Sun, Feb 26, 2006, Georg Lohrer wrote: > > As I have hopefully understood setting the serial number of a CA to a > distinct number like 1 is good practice. From a technical point of view any > number should as good as another as long as they are unique (as you mentioned > in your post to Kyle). But for a CA? I saw a CA-certificate from Thawte having > a serial number of 1 and a CA-certificate of VeriSign having a perhaps random > number. What will be the best way for a CA? Is there any preferred way? >
The problem with OpenSSL by default using '1' and then consecutive numbers was that newboes were following some rather ancient "cookbooks" which came with certain projects using OpenSSL and ended up producing loads of duplicates. Even using the recommended methods (CA.pl) that was still possible. To give you a simple example. As a test case someone might use the default values for a certificate in the fields and put something like "test" in the fields without a default. They might install that certificate or install it on a radnsom colllection of machines. If they then get it wrong and try again later with the same values, which would be a duplicate serial number in the two CAs for a start. If the two CAs had issued end user certificates you'd get the situation where apparently bizarre errors such as certificate signature failures would occur: because the other CA public key was used to verify the signatures on certificates. The fairly large random value for serial numbers is designed to avoid that situation but still allow the more knowledgeable user to override that. If you are sure the issuer name and serial number will be unique then you can choose any value you wish. Some CAs choose consecutive values, other what look like random values of hashes. One commercial reason for not using consecutive values is that competitors can work out how many certificates you've issued... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
