[openssl.org #3511] Bug report: documentation: req docs claim default serial number for x509 certificate is 0, it is in fact a random integer (since 2004)

Adam Williamson via RT Sun, 31 Aug 2014 05:52:13 -0700

[adamw@adam openssl (master)]$ man req
...
       -x509
           this option outputs a self signed certificate instead of a 
certificate request. This is typically used to generate a test certificate
           or a self signed root CA. The extensions added to the certificate 
(if any) are specified in the configuration file. Unless specified
           using the set_serial option 0 will be used for the serial number.


[adamw@adam openssl (master)]$ git blame apps/req.c | grep -5 rand_serial
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  837)                   
        {
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  838)                   
        if (!X509_set_serialNumber(x509ss, serial)) goto end;
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  839)                   
        }
acba75c5 (Dr. Stephen Henson  2001-02-19 13:38:32 +0000  840)                   
else
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  841)                   
        {
64674bcc (Dr. Stephen Henson  2004-04-20 12:05:26 +0000  842)                   
        if (!rand_serial(NULL,
64674bcc (Dr. Stephen Henson  2004-04-20 12:05:26 +0000  843)                   
                X509_get_serialNumber(x509ss)))
64674bcc (Dr. Stephen Henson  2004-04-20 12:05:26 +0000  844)                   
                        goto end;
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  845)                   
        }
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  846) 
1064acaf (Bodo Möller         2002-04-17 09:31:34 +0000  847)                   
if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;

[adamw@adam openssl (master)]$ git log | grep -7 64674bcc
...
commit 64674bcc8cee73853d00388a5e83cb1b2f38bec1
Author: Dr. Stephen Henson <[email protected]>
Date:   Tue Apr 20 12:05:26 2004 +0000

    Reduce chances of issuer and serial number duplication by use of random
    initial serial numbers.
    
    PR: 842

Patch attached.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

>From ab2606d09ed38755d94330f7a0b991ea7d057c9f Mon Sep 17 00:00:00 2001
From: Adam Williamson <[email protected]>
Date: Sat, 30 Aug 2014 05:32:55 -0700
Subject: [PATCH] default serial number for x509 cert is a random integer, not
 0

Since 64674bcc8cee73853d00388a5e83cb1b2f38bec1 in 2004. Correct
the req documentation to reflect this.
---
 doc/apps/req.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index ad538ca..ffede30 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -235,8 +235,8 @@ this option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
 a self signed root CA. The extensions added to the certificate
 (if any) are specified in the configuration file. Unless specified
-using the B<set_serial> option B<0> will be used for the serial
-number.
+using the B<set_serial> option a large random integer will be used
+for the serial number.
 
 =item B<-days n>
 
-- 
2.1.0

[openssl.org #3511] Bug report: documentation: req docs claim default serial number for x509 certificate is 0, it is in fact a random integer (since 2004)

Reply via email to