On 30.04.2014 03:57, Nikolay Elenkov wrote:
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the root. Then there won't be a need to have the root key at multiple places and
not problems with serial. Additionally, clients will only have to
install and trust
the
On 29.04.2014 22:32, Tim Hudson wrote:
On 30/04/2014 6:05 AM, Walter H. wrote:
On 29.04.2014 21:38, d...@deadhat.com mailto:d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256
bit or
greater true random number. There will be no collisions.
the serial
: Increment certificate serial numbers randomly
On 30/04/2014 6:05 AM, Walter H. wrote:
On 29.04.2014 21:38, d...@deadhat.commailto:d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions
On 4/28/2014 10:53 AM, Mat Arge wrote:
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have to
create the random serial number externally by some script and write it into
the serial file (as set in
On 29.04.2014 20:15, Jakob Bohm wrote:
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
Hi,
could you please try to find this; I would be interested in such - a way
On 29.04.2014 20:15, Jakob Bohm wrote:
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
Hi,
could you please try to find this; I would be interested in such - a way
On 29.04.2014 21:38, d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions.
the serial number has maximum length ..., 256 bit is quite too big ..
smime.p7s
Description: S/MIME Cryptographic
On 30/04/2014 6:05 AM, Walter H. wrote:
On 29.04.2014 21:38, d...@deadhat.com wrote:
This all seems unecessarily complex. Make the serial number a 256 bit or
greater true random number. There will be no collisions.
the serial number has maximum length ..., 256 bit is quite too big ..
In
of the other proposals.
Michael Wojcik
Technology Specialist, Micro Focus
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Tim Hudson
Sent: Tuesday, 29 April, 2014 16:32
To: openssl-users@openssl.org
Subject: Re: Increment certificate serial numbers randomly
On Wed, Apr 30, 2014 at 6:59 AM, Michael Wojcik
michael.woj...@microfocus.com wrote:
All of these approaches have already been suggested in this thread. Is it
really necessary that we go through them again?
What hasn't been suggested is giving each server, etc. its own sub-CA signed by
the
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have to
create the random serial number externally by some script and write it into
the serial file (as set in the openssl configuration file used)
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Mat Arge
Sent: Monday, 28 April, 2014 04:54
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have
to
If you are comfortable with the key existing (online?) in multiple places, make
the serial number be a UUID treated as a BIGNUM.
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Salz, Rich
Sent: Monday, 28 April, 2014 09:37
If you are comfortable with the key existing (online?) in multiple places,
make the serial number be a UUID treated as a BIGNUM.
Yes, that's a much
-serial-numbers-randomly-tp49712.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl
On 26.04.2014 05:52, csa321 wrote:
We've generated our own CA for self-signing certificates.
The issue is that
we package up the openssl install for installation on multiple servers.
Therefore, the root CA we create is part of the package as well.
the private key of the root CA should
16 matches
Mail list logo