serializing certificates
Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? Thank you in advance Michael Weiner signature.asc Description: This is a digitally signed message part
RE: serializing certificates
Sounds to me like you're using openssl req rather than openssl ca Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Weiner Sent: 24 November 2004 14:12 To: [EMAIL PROTECTED] Subject: serializing certificates Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? Thank you in advance Michael Weiner __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
Seems to me I saw an option to set the serial number from the command line appear in openssl req but it might be recently added (e.g., check to see if the version you are using is too old to have it implemented!). I've been doing the write-even- number-of-hex-digits-to-file since I started, so I guess it could be that -set_serial n was recently added, or recently documented (:-), or that I just missed it first time around. See if -set_serial n works. Michael Weiner wrote: Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
On Wed, 2004-11-24 at 15:36 +0100, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? i apologize, that would be *quite* useful to you. I am running openssl-0.9.7a presently and using the following command sequence: 1) openssl genrsa -out key.pem 2048 2) openssl req -new -x509 -key key.pem -out cert.pem -days 7 3) openssl x509 -in cert.pem -inform PEM -out cert.cer -outform DER Thanks again Michael Weiner signature.asc Description: This is a digitally signed message part
Re: serializing certificates
On Wed, 2004-11-24 at 09:53 -0500, Charles B Cranston wrote: Seems to me I saw an option to set the serial number from the command line appear in openssl req but it might be recently added (e.g., check to see if the version you are using is too old to have it implemented!). I've been doing the write-even- number-of-hex-digits-to-file since I started, so I guess it could be that -set_serial n was recently added, or recently documented (:-), or that I just missed it first time around. See if -set_serial n works. man req shows that that *is* a valid option. Thank you Charles! Michael Weiner signature.asc Description: This is a digitally signed message part
Re: serializing certificates
David C. Partridge wrote: Sounds to me like you're using openssl req rather than openssl ca Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? If this is the case, use the '-set_serial' option. -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)11 564 7081 http://security.polito.it Fax:+39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o smime.p7s Description: S/MIME Cryptographic Signature
Re: serializing certificates
On Wed, Nov 24, 2004, Michael Weiner wrote: On Wed, 2004-11-24 at 15:36 +0100, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? i apologize, that would be *quite* useful to you. I am running openssl-0.9.7a presently and using the following command sequence: 1) openssl genrsa -out key.pem 2048 2) openssl req -new -x509 -key key.pem -out cert.pem -days 7 3) openssl x509 -in cert.pem -inform PEM -out cert.cer -outform DER If the certificates have exactly the same details and serial number that may well cause problems because issuer name and serial number must be unique. If you use the latest version of OpenSSL then instead of the 0 serial number (which is frowned upon by some specifications) it will by default use a 64 bit random number. You can still force the serial number to be anything using the -set_serial option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]