On 8/17/2017 09:40, Robert Moskowitz wrote: > I have been researching serial number in cert based on Jakob's comment: > > "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as > standalone > numbers and as DER-encoded numbers. Note that this is not the > default in > the openssl ca program. > > - Serial numbers contain cryptographically strong random bits, > currently at > least 64 random bits, though it is best if the entire serial number > looks > random from the outside. This is not implemented by the openssl ca > program." > > And this is supposedly from the CA/B BF? > > Though Erwann responded: > > "There’s no such requirement. It MUST be at most 20 octets long" > > I see how for all certs other than the root (get to that later), I can > control this with: > > openssl rand -hex 20 > serial > > then use 'openssl ca ...' > > But from Kyle's comment, the first bit must be ZERO. So since the 20 octets is a maximum and not a requirement use -hex 19 instead, and if this results in DER placing a leading 0x00 byte you're still ok. This also complies with the ballot that Rich mentioned since you have more entropy than required.
At least I think that meets the requirements.... -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users