Alexei Chetroi wrote:
On Sat, Feb 10, 2007 at 02:25:07PM +0400, Arsen Hayrapetyan wrote:
Date: Sat, 10 Feb 2007 14:25:07 +0400
From: Arsen Hayrapetyan <[EMAIL PROTECTED]>
To: [email protected]
Subject: [Openca-Users] The serial number of CA root certificate
I have set up CA and Node interfaces on my machine and has initialised
the CA.
The CA root certificate is created normally, but it has a strange serial
number: 2147483647 (0x7FFFFFFF).
:) what OS or linux dist are you using? I've seen this behavior only
in Debian and reason for this is a too long serial of the CA certificate.
You have two options: fix genCert subroutine in OpenSSL.pm so that
"-set_serial" openssl option is used for the CA certificate generation.
In this case beware, that general recomendation is that serial numbers
should be unique for a PKI system.
I've preached for over 10 years that serial numbers should be sequential
for audit purposes (starting with a self-signed root serial number of
1). But those designing CAs are often more interested in the technical
toys than in creating a point of trust with a complete auditable
environment.
Those CAs that I've managed and been responsible for audit only used
sequential serial numbers. Its a very basic requirement for operation.
Its one of the few reasons I recommend against OpenCA.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
