Serial Number/Randomness apart;
how many certificates would you expect to issue in a year?
How would you deploy the cert for trust among the different browsers?
You should ensure that your certificates for SSL usage specify the appropriate
EKU OID, in addition to path and issuance restrictions.
- SSL/TLS Web Server Authentication serverAuth 1.3.6.1.5.5.7.3.1
-Eduardo
> Date: Thu, 19 May 2011 11:28:30 -0700
> To: [email protected]
> From: [email protected]
> Subject: Re: [openssl-users] Quick eyeball requested - self generate openssl
> certs/CA
>
> A very simple one -- tax the time stamp register or the 4 byte cycles
> since 1970, and concatenate the process id (which is unique for a
> long time). The same process id cannot get either of those two
> numbers in two calls to be the same. Eric
>
> At 10:24 AM 5/19/2011, you wrote:
> >On Thu May 19 2011, Tim Watts wrote:
> > > I think I might add some "randomness" into mine - seems easy enough. I
> > > won't pretend I fully understand why - mostly because I wasn't clear why
> > > the serial is important.
> > >
> >
> >If your CPU has a 'time stamp register' (cycle counts since power-up) -
> >You can grab those contents as your counter (usually 8 bytes worth).
> >Since this counter advances rapidly (GHz range today) it is unlikely
> >you will ever have two machines, or two serial number creations, that
> >strike at the same clock cycle since power-up.
> >(Thats a pretty small target to hit.)
> >
> >Usually that will cost you one or two machine cycles to read the counter.
> >Relatively fast way to get "an 8 byte number I haven't used before".
> >
> >Concantinate that with 8 bytes of something else of your choice that
> >doesn't vary with the clock cycles since power up.
> >If truly paranoid - 'whiten' with the hash function of your choice.
> >(or with AES as in another post here - many machines can do AES in hardware.)
> >
> >Mike
> >
> >______________________________________________________________________
> >OpenSSL Project http://www.openssl.org
> >User Support Mailing List [email protected]
> >Automated List Manager [email protected]
>
>
> Eric S. Eberhard
> (928) 567-3727 Voice
> (928) 567-6122 Fax
> (928) 301-7537 Cell
>
> Vertical Integrated Computer Systems, LLC
> Metropolis Support, LLC
>
> For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com
>
> Pictures of Snake in Spring
>
> http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49
>
> Pictures of Camp Verde
>
> http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf
>
> Pictures of Land Cruiser in Sedona
>
> http://www.facebook.com/album.php?aid=50953&id=1409661701
>
> Pictures of Flagstaff area near our cabin
>
> http://www.facebook.com/album.php?aid=12750&id=1409661701
>
> Pictures of Cheryl in a Horse Show
>
> http://www.facebook.com/album.php?aid=32484&id=1409661701
>
>
> Pictures of the AZ Desert
>
> http://www.facebook.com/album.php?aid=58827&id=1409661701
>
> (You can see why we love this state :-) )
>
>
>
>
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
