All of these approaches have already been suggested in this thread. Is it really necessary that we go through them again?
Rich Salz's suggestion of using a UUID for the serial number makes collisions sufficiently improbable that the possibility can be ignored, and it's simpler than any of the other proposals. Michael Wojcik Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Tim Hudson Sent: Tuesday, 29 April, 2014 16:32 To: openssl-users@openssl.org Subject: Re: Increment certificate serial numbers randomly On 30/04/2014 6:05 AM, Walter H. wrote: On 29.04.2014 21:38, d...@deadhat.com<mailto:d...@deadhat.com> wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial number has maximum length ..., 256 bit is quite too big .. In X.509 terms the serial number is an ASN1 integer value so there is no real length limit. It is also pretty common to see the output of a HASH operation used as a serial number in a certificate. However in the context of everyone separately picking an RNG output value (on separate systems) there is no guarantee of zero collisions. If you are installing the same "root" on multiple machines that don't coordinate then just auto-edit the serial file (if using the ca program) and put a unique prefix on the front. Perhaps just grab the machine MAC and add that in. And then the auto-incrementing handling will sort that out. The serial number format is simply a hex string value. e.g. something like this could work (and there are better ways to do this - it is just to get you started down a path that may solve the original posters immediate issue) ifconfig eth0 | grep HWaddr| awk '{print $NF}'| sed -e 's/://g'; echo "000000" > path-to-ca-serial-file Tim. Click here<https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to report this email as spam. This message has been scanned for malware by Websense. www.websense.com
