Some standards (like the CA/Browser Forum guidelines) request a certain amount of entropy (like 20 bits) to be contained within the serial number. Is there some sort of best-practice for incorporating this small amount of real random data into a larger unique serial number?
cheers Mat On Tuesday 29. April 2014 21:59:10 you wrote: > All of these approaches have already been suggested in this thread. Is it > really necessary that we go through them again? > > Rich Salz's suggestion of using a UUID for the serial number makes > collisions sufficiently improbable that the possibility can be ignored, and > it's simpler than any of the other proposals. > > Michael Wojcik > Technology Specialist, Micro Focus > > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Tim Hudson Sent: > Tuesday, 29 April, 2014 16:32 > To: openssl-users@openssl.org > Subject: Re: Increment certificate serial numbers randomly > > On 30/04/2014 6:05 AM, Walter H. wrote: > On 29.04.2014 21:38, d...@deadhat.com<mailto:d...@deadhat.com> wrote: > > > This all seems unecessarily complex. Make the serial number a 256 bit or > greater true random number. There will be no collisions. > the serial number has maximum length ..., 256 bit is quite too big .. > > In X.509 terms the serial number is an ASN1 integer value so there is no > real length limit. It is also pretty common to see the output of a HASH > operation used as a serial number in a certificate. However in the context > of everyone separately picking an RNG output value (on separate systems) > there is no guarantee of zero collisions. > > If you are installing the same "root" on multiple machines that don't > coordinate then just auto-edit the serial file (if using the ca program) > and put a unique prefix on the front. Perhaps just grab the machine MAC and > add that in. And then the auto-incrementing handling will sort that out. > The serial number format is simply a hex string value. > > e.g. something like this could work (and there are better ways to do this - > it is just to get you started down a path that may solve the original > posters immediate issue) > > ifconfig eth0 | grep HWaddr| awk '{print $NF}'| sed -e 's/://g'; echo > "000000" > path-to-ca-serial-file > > Tim. > > > > Click here<https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to > report this email as spam. > > > This message has been scanned for malware by Websense. www.websense.com
signature.asc
Description: This is a digitally signed message part.
