Private CA certificate serial numbers #2
Comments
But do this only once during the root CA creation. Because from your random number you want count up. Usually you don't want a random number every time.
|
|
@ashansol I am sorry I missed your message last year. When the starting serial is fixed, for example 1001, and you're experimenting and learning, it often happens that you create one root CA, then another, and then maybe another. If you import them into your OS, there can be a confusion is the Issuer DN and the serial are the same. Using a random number as the starting point avoids it. Regarding the inconsistency, I think the first version of the book didn't use the random number approach, and I later made a change only in one place and not throughout. I will make a note so that this is fixed in the next revision. @aDramaQueen You like 01 I like 1001 :) Many thanks for bringing this to my attention. |
In the OpenSSL Cookbook private ca instructions on directory structure, the commands
openssl rand -hex 16 > db/serial&echo 1001 > db/crlnumberseem to disagree with later paragraphs.
After creating and signing the self-signed certificate, the db/index file in the example is:
V 240706115345Z 1001 unknown /C=GB/O=Example/CN=Root CAinstead of the 16 random hexadecimal digits mine shows, and looks suspiciously like the 1st crlnumber serial number.
Later a command example to revoke a certificate also seems to be using the 1001+ serial number scheme:
openssl ca -config root-ca.conf -revoke certs/1002.pem -crl_reason keyCompromiseI know it's a bit nitpickey, but as a complete noob, it's also a bit confusing.
The text was updated successfully, but these errors were encountered: