On 4/28/2014 10:53 AM, Mat Arge wrote:
I agree with Walter, that it is not exactly good practise to have a CA key
lying around on multiple servers. But anyway, if you need to do it you have to
create the random serial number externally by some script and write it into
the serial file (as set in the openssl configuration file used) prior to
issuing the "openssl ca" command.
As a workaround if you do not want do do this, you could set different serial
number ranges on the various servers. Server1 starts at serial 1, Server2 at
0x010000 and so on. You'd still have incrementally growing serial numbers
(which is actually bad by itself) but from distinct ranges.
I seem to (vaguely) recall that there was once an option or standard for
using a certificate-contents-related hash as the serial number, but I
can't seem to find it right now.
As for the use of a widely shared private key, I have seen this sensibly
used for test certificates, where the (insecure) test CA is trusted
amongst systems configured in "test" mode, as long as all those systems
were from the vendor who originally set up this test root and
distributed the private key with their systems.
Use of certificates issued by this test root would result in a very
specific warning message summarizing the nature of those certificates,
while still allowing technical testing of the entire security system,
without exposing real (trusted) end entity private keys to insecure
test and compile environments.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
