On 30/04/2014 6:05 AM, Walter H. wrote:
> On 29.04.2014 21:38, d...@deadhat.com wrote:
>>
>> This all seems unecessarily complex. Make the serial number a 256 bit or
>> greater true random number. There will be no collisions.
> the serial number has maximum length ..., 256 bit is quite too big ..
>
In X.509 terms the serial number is an ASN1 integer value so there is no
real length limit.
It is also pretty common to see the output of a HASH operation used as a
serial number in a certificate.
However in the context of everyone separately picking an RNG output
value (on separate systems) there is no *guarantee *of zero collisions.
If you are installing the same "root" on multiple machines that don't
coordinate then just auto-edit the serial file (if using the ca program)
and put a unique prefix on the front. Perhaps just grab the machine MAC
and add that in. And then the auto-incrementing handling will sort that
out. The serial number format is simply a hex string value.
e.g. something like this could work (and there are better ways to do
this - it is just to get you started down a path that may solve the
original posters immediate issue)
ifconfig eth0 | grep HWaddr| awk '{print $NF}'| sed -e 's/://g'; echo
"000000" > path-to-ca-serial-file
Tim.
