On Wed, May 17, 2006, Phil Dibowitz wrote: > > "CA.pl -newca" takes a random 64-bit number for the serial number of the > CA, and then auto-incriments that for all of the certs it signs. > > Why random? Why not start at 64-bits of 0s? Is there some benefit here? >
The serial number is an integer. 64 bits of 0s is 0 which is an illegal serial number. The reason for the random nature is so that OpenSSL by default makes it very unlikely to duplicate issuer names and serial numbers, which is a standard violation and can cause peculiar hard to trace errors in common web browsers. That can be very confusing for beginners. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
