➢ Thus how large does this random number have
It’s also to protect against predicting serial numbers and being able to
leverage that. It’s not just (nor really mainly) the MD5 digest attacks.
According to CABForum, you need 8 octets. No reason not to use more if you can.
➢ page was talking about in conjunction with the -CA option. With 'openssl
ca' use of the serial file is mandatory according to the man page.
There are no command line options for it.
Fixed in master and will be part of the next releases; the –rand_serial flag.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
