> Yes, you are right, it could be difficult to garantee that the random > serial number will be unique.
As an aside, I'm not sure this is such a major hurdle. The CA should be able to look up certs by serial number anyway, and if it can do that efficiently (e.g., you have a Berkeley DB DB_HASH table mapping serial number to filename) then you can use the same mechanism to ensure that random SNs are unique. > Also a digest from timestamp will be more appropriate. Another common choice is YYYYMMDDXXXXXX where the prefix is the current date, and the XXXXXX is some random component. This still gives you the nice property that SN1 > SN2 implies that the first cert was issued after than the second cert (unless the SNs are close), while giving you a large random component. > My question for you is how to write this SN's value when > I sign the CSR? X509_set_serialNumber(x, s); but only if you're doing it in C instead of the CLI level. In fact, getting the ability to set SNs to what I wanted is one reason why I went with some local C programs instead of the standand CLI tools. Bear ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
