Re: [openssl-users] Certificate serialnumber?
> From: openssl-users On Behalf Of Salz, Rich > Sent: Sunday, July 05, 2015 11:56 [in response to message about 'ca'] > > > the question: where does the serial number for this certificate come > from? > > > is it random by default when nothing is said about it? > > It will be random if (a) the serial file does not exist; and (b) you specify > the - > create_serial flag. Otherwise it opens the file, reads the number (defaulting > to zero if not exists) and increments it, updates the file, and uses that as > the > new serial number. > One point I didn't notice until you pointed me at: FOR 'ca': If the serial file exists,the current value is read (ERROR if none or bad, not zero), THAT value is used, and then the incremented value is written back. If the file doesn't exist and you specify create, a random value is used, then the incremented value written. If the file doesn't exist and you don't specify create, error. FOR 'x509' with -set_serial, that is used and serial file is ignored. Otherwise same as above, except value is incremented BEFORE it us used-- and the create option is spelled -CAcreateserial instead of -create_serial. In short, 'ca' is like N++ in C but 'x509' is like ++N . Yikes! THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
> Unless I'm misreading the code an absent serial number file is an error. I was looking at load_serial() in apps.c, with the |create| parameter. /r$ ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
On Sun, Jul 05, 2015, Salz, Rich wrote: > > > > the question: where does the serial number for this certificate come from? > > > is it random by default when nothing is said about it? > > It will be random if (a) the serial file does not exist; and (b) you specify > the -create_serial flag. Otherwise it opens the file, reads the number > (defaulting to zero if not exists) and increments it, updates the file, and > uses that as the new serial number. > Unless I'm misreading the code an absent serial number file is an error. We don't start with zero any more because this can result in duplicate issuer names and serial numbers which can cause hard to trace problems. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
> > the question: where does the serial number for this certificate come from? > > is it random by default when nothing is said about it? It will be random if (a) the serial file does not exist; and (b) you specify the -create_serial flag. Otherwise it opens the file, reads the number (defaulting to zero if not exists) and increments it, updates the file, and uses that as the new serial number. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
On 05.07.2015 14:19, David Thompson wrote: Quoting the man page for req(1) -- although depending on the packaging which I don't know for CentOS it may be a different section like 1s or 1ssl -- and also on the web https://www.openssl.org/docs/apps/req.html -x509 this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number. would this be also an option when using openssl like this: openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate ... -enddate ... 'ca' always uses the value currently in a 'serial' file configured in the configuration file, and increments it, thus using sequential numbers when you issue more than one cert. as you above, "Unless specified using the set_serial option, ..." is it the same with 'serial' file when using openssl ca ...? I mean, would the serial be random, when there is no 'serial' file specified, neither in the openssl.cnf nor at the command parameters ... Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
> From: openssl-users On Behalf Of Ben Humpert > Sent: Sunday, July 05, 2015 07:58 > Take a look in your openssl.cnf and you should see the option "serial" > with a path / file specified. The serial number is taken from that > file. If the file doesn't exists or is empty when the very first > certificate is created then 01 is used as a serial for it. > That's for 'ca', not for 'req -new -x509'. See my answer. THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
> From: openssl-users On Behalf Of Walter H. > Sent: Sunday, July 05, 2015 06:49 > openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump > CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem > -out ./squidCA.pem > > the question: where does the serial number for this certificate come from? > is it random by default when nothing is said about it? > Quoting the man page for req(1) -- although depending on the packaging which I don't know for CentOS it may be a different section like 1s or 1ssl -- and also on the web https://www.openssl.org/docs/apps/req.html -x509 this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number. > would this be also an option when using openssl like this: > > openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate > ... -enddate ... > 'ca' always uses the value currently in a 'serial' file configured in the configuration file, and increments it, thus using sequential numbers when you issue more than one cert. 'ca' also records issued certs in a 'database' file usually named index.txt (a VERY SIMPLE db, just a file with text lines and columns) which makes sequential numbers convenient. If you want nonsequential numbers you can edit the serial file before each or any execution of 'ca'. This is mostly described on the man page for ca(1ssl), although on checking I see it isn't actually stated that serial values are incremented; you're supposed to infer that from the usual meaning of the word, although the X.509 meaning has diverged. OpenSSL's other, simpler but less capable way to issue a child cert is 'openssl x509' with '-req' and '-CA', plus '-CAkey' unless the key is in the (CA)cert file, and other options as needed. In this method you may specify '-set_serial' as an option; else it uses the serial-file method like 'ca' except the filename may be an option or defaults to the (CA)cert file name with .pem or other suffix changed to .srl. And 'x509 -req -CA' does NOT record the index.txt 'database'. Now, where do you think documentation of 'x509' might be? THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate serialnumber?
Take a look in your openssl.cnf and you should see the option "serial" with a path / file specified. The serial number is taken from that file. If the file doesn't exists or is empty when the very first certificate is created then 01 is used as a serial for it. Rich Salz recommended me this SSL Cookbook https://www.feistyduck.com/books/openssl-cookbook/ by Ivan Ristić and based on that you should initiate the database and serial files before you create certificates to avoid problems that can occour after month / years. I use cd /etc/ssl/ mkdir -p ./ca/db ./ca/private ./ca/certs ./ca/crl ./ca/out ./ca/reqs chmod 700 ./ca/private cp /dev/null ./ca/db/an3kRootCA.db cp /dev/null ./ca/db/an3kRootCA.db.attr openssl rand -hex 16 > ./ca/db/an3kRootCA.crt.srl echo 1001 > ./ca/db/an3kRootCA.crl.srl cd /etc/ssl/ca/ to create the whole environment and initiate the database and serial files. This is based on the SSL Cookbook information. If you want to read it for yourself please open https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html begin with paragraph "Creating a Private Certification Authority" (F3). 2015-07-05 12:48 GMT+02:00 Walter H. : > Hello, > > I'm using openssl command-line in a Linux-Box (CentOS 6.x with squid) like > this: > > I havn't defined anything - everything is set default from the linux > distribution > openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump CA/C=/O=/OU=/' > -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem -out ./squidCA.pem > > the question: where does the serial number for this certificate come from? > is it random by default when nothing is said about it? > > would this be also an option when using openssl like this: > > openssl ca -batch -config any.cnf -name any_ca -md sha256 -startdate ... > -enddate ... > > Thanks. > > -- > Best regards, > Ing. Walter Höhlhubmer > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users