Re: Increment certificate serial numbers randomly

Sun, 27 Apr 2014 09:09:06 -0700 

On Sun, Apr 27, 2014 at 03:47:45PM +0200, Walter H. wrote:

> >Is there any way to control the incrementing of the serial number from the
> >root CA so that it is completely random,
>
> No.

Whether it is or is not a good idea to do store and use issuing CA
keys in multiple locations, it *is* possible to do so using a
somewhat lower layer interface than "openssl ca".  In particular,
a bash(1) script with the following function will be able to
statelessly sign a CSR:

  sign() {
      local digest=sha1  # Interoperable, use sha256 if desired
      local ca=$1; shift
      local cakey=$1; shift
      local days=$1; shift
      local reqin=$1; shift
      local certout=$1; shift

      exts=$(printf "%s\n%s\n%s\n%s\n%s\n[altnames]\n%s\n" \
          "subjectKeyIdentifier = hash" \
          "authorityKeyIdentifier = keyid, issuer" \
          "basicConstraints = CA:false" \
          "extendedKeyUsage = clientAuth, serverAuth" \
          "subjectAltName = @altnames" \
          "$(i=0; for n; do i=$((i+1)); printf "DNS.%d=%s\n" "$i" "$n"; done)"
      )

      openssl x509 -req -"$digest" -in "$reqin" -out "$certout" \
          -extfile <(printf "%s\n" "$exts") \
          -CA "$ca" -CAkey "$cakey" \
          -set_serial "0x$(openssl rand -hex 16)" \
          -days "$days"
  }

in a single call of the form:

      sign cacert.pem cakey.pem 365 csr.pem newcert.pem \
        foo.example.com bar.example.com ...

where the second line is a non-empty list of subject alternative
names to include.  The csr.pem file can be created using any suitable
tool, or via a similar approach:

  req() {
      local keyin=$1; shift
      local reqout=$1; shift
      local cn=$1; shift

      openssl req -new -sha1 -key "${keyin}" -out "$reqout" \
          -config <(printf "[req]\n%s\n%s\n%s\n[dn]\n%s\n" \
             "string_mask = utf8only" \
             "prompt = no" \
             "distinguished_name = dn" \
             "CN=$cn")
  }

  req key.pem csr.pem foo.example.com

Variants of this can be used that avoid generating intermediate
files, with the output of "req" piped in as the input to "sign"
which sends the certificate to stdout.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to