Dr. Stephen Henson wrote: > On Wed, May 17, 2006, Phil Dibowitz wrote: > >> >> Thanks for the quick reply. >> >> Hmm. Then why is it when I create a self-signed CA with openssl I get >> the former displayed, but when when I then sign a cert with that CA, I >> get the latter? I don't understand why it is using different byte > lengths? >> > > Depends how the CA is set up. Some "cookbook" guides from various sources > manually set up the OpenSSL serial number file to a small number. > > The standard OpenSSL tools such as CA.pl use a 64 bit random number for the > serial number file.
Ah. OK. "CA.pl -newca" takes a random 64-bit number for the serial number of the CA, and then auto-incriments that for all of the certs it signs. Why random? Why not start at 64-bits of 0s? Is there some benefit here? Thanks. -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com
signature.asc
Description: OpenPGP digital signature
