On So, 26 Feb 2006, Dr. Stephen Henson wrote: > On Sun, Feb 26, 2006, Georg Lohrer wrote: > > > > > Even if I create an explicit serial-file it won't be used for the 'req' > > command (tested with strace). > > > > Any ideas what I'm doing wrong? Or is the man-page wrong? > > > > The manual page needs updating. It now uses a random serial number unless a > serial number is given explicitly. This was to reduce the chance of duplicate > issuer names and serial numbers.
Ah yes; I scrutinized through the code and saw that the current time will be used for forming the random number (crypto/bn/bn_rand.c). As I have hopefully understood setting the serial number of a CA to a distinct number like 1 is good practice. From a technical point of view any number should as good as another as long as they are unique (as you mentioned in your post to Kyle). But for a CA? I saw a CA-certificate from Thawte having a serial number of 1 and a CA-certificate of VeriSign having a perhaps random number. What will be the best way for a CA? Is there any preferred way? Ciao, Georg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
