I agree with Walter, that it is not exactly good practise to have a CA key lying around on multiple servers. But anyway, if you need to do it you have to create the random serial number externally by some script and write it into the serial file (as set in the openssl configuration file used) prior to issuing the "openssl ca" command.
As a workaround if you do not want do do this, you could set different serial number ranges on the various servers. Server1 starts at serial 1, Server2 at 0x010000 and so on. You'd still have incrementally growing serial numbers (which is actually bad by itself) but from distinct ranges. cheers Mat On Sunday 27. April 2014 15:47:45 you wrote: > On 26.04.2014 05:52, csa321 wrote: > > We've generated our own CA for self-signing certificates. > > > > The issue is that > > > > we package up the openssl install for installation on multiple servers. > > Therefore, the root CA we create is part of the package as well. > > the private key of the root CA should only exist on _ONE_ server; and as > a backup on a external media; > > > The problem is that since the CA cert will have the same serial number > > across all servers, > > copying doesn't change serial number > > > any certificates issued from that CA, on different > > > > servers, end up having the same serial number. > > of course; > > > This causes browser issues > > > > for obvious reasons. > > this is a design failure; the certificates MUST all be signed on only > one server for this reason; > or each server must have its own root/intermediate CA; > > > Is there any way to control the incrementing of the serial number from the > > root CA so that it is completely random, > > No.
signature.asc
Description: This is a digitally signed message part.
