Re: Increment certificate serial numbers randomly

t; Tuesday, 29 April, 2014 16:32 > To: openssl-users@openssl.org > Subject: Re: Increment certificate serial numbers randomly > > On 30/04/2014 6:05 AM, Walter H. wrote: > On 29.04.2014 21:38, d...@deadhat.com<mailto:d...@deadhat.com> wrote: > > > This all seems unecessaril

Re: Increment certificate serial numbers randomly

On 29.04.2014 22:32, Tim Hudson wrote: On 30/04/2014 6:05 AM, Walter H. wrote: On 29.04.2014 21:38, d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial

Re: Increment certificate serial numbers randomly

On 30.04.2014 03:57, Nikolay Elenkov wrote: What hasn't been suggested is giving each server, etc. its own sub-CA signed by the root. Then there won't be a need to have the root key at multiple places and not problems with serial. Additionally, clients will only have to install and trust the roo

Re: Increment certificate serial numbers randomly

On Wed, Apr 30, 2014 at 6:59 AM, Michael Wojcik wrote: > All of these approaches have already been suggested in this thread. Is it > really necessary that we go through them again? > > What hasn't been suggested is giving each server, etc. its own sub-CA signed by the root. Then there won't be a

RE: Increment certificate serial numbers randomly

any of the other proposals. Michael Wojcik Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Tim Hudson Sent: Tuesday, 29 April, 2014 16:32 To: openssl-users@openssl.org Subject: Re: Increment certificate serial number

Re: Increment certificate serial numbers randomly

On 30/04/2014 6:05 AM, Walter H. wrote: > On 29.04.2014 21:38, d...@deadhat.com wrote: >> >> This all seems unecessarily complex. Make the serial number a 256 bit or >> greater true random number. There will be no collisions. > the serial number has maximum length ..., 256 bit is quite too big .. >

Re: Increment certificate serial numbers randomly

On 29.04.2014 21:38, d...@deadhat.com wrote: This all seems unecessarily complex. Make the serial number a 256 bit or greater true random number. There will be no collisions. the serial number has maximum length ..., 256 bit is quite too big .. smime.p7s Description: S/MIME Cryptographic Sig

Re: Increment certificate serial numbers randomly

> On 29.04.2014 20:15, Jakob Bohm wrote: >> I seem to (vaguely) recall that there was once an option or standard for >> using a certificate-contents-related hash as the serial number, but I >> can't seem to find it right now. > Hi, > could you please try to find this; I would be interested in such

Re: Increment certificate serial numbers randomly

On 29.04.2014 20:15, Jakob Bohm wrote: I seem to (vaguely) recall that there was once an option or standard for using a certificate-contents-related hash as the serial number, but I can't seem to find it right now. Hi, could you please try to find this; I would be interested in such - a way o

Re: Increment certificate serial numbers randomly

On 4/28/2014 10:53 AM, Mat Arge wrote: I agree with Walter, that it is not exactly good practise to have a CA key lying around on multiple servers. But anyway, if you need to do it you have to create the random serial number externally by some script and write it into the serial file (as set in t

RE: Increment certificate serial numbers randomly

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Salz, Rich > Sent: Monday, 28 April, 2014 09:37 > > If you are comfortable with the key existing (online?) in multiple places, > make the serial number be a UUID treated as a BIGNUM. Yes, that's a muc

RE: Increment certificate serial numbers randomly

If you are comfortable with the key existing (online?) in multiple places, make the serial number be a UUID treated as a BIGNUM. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

RE: Increment certificate serial numbers randomly

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Mat Arge > Sent: Monday, 28 April, 2014 04:54 > > I agree with Walter, that it is not exactly good practise to have a CA key > lying around on multiple servers. But anyway, if you need to do it you hav

Re: Increment certificate serial numbers randomly

On Apr 28, 2014, at 1:53 AM, Mat Arge wrote: > You'd still have incrementally growing serial numbers > (which is actually bad by itself) but from distinct ranges. ...or perhaps random within the range. smime.p7s Description: S/MIME cryptographic signature

Re: Increment certificate serial numbers randomly

I agree with Walter, that it is not exactly good practise to have a CA key lying around on multiple servers. But anyway, if you need to do it you have to create the random serial number externally by some script and write it into the serial file (as set in the openssl configuration file used) pr

Re: Increment certificate serial numbers randomly

On Sun, Apr 27, 2014 at 03:47:45PM +0200, Walter H. wrote: > >Is there any way to control the incrementing of the serial number from the > >root CA so that it is completely random, > > No. Whether it is or is not a good idea to do store and use issuing CA keys in multiple locations, it *is* possi

Re: Increment certificate serial numbers randomly

On 26.04.2014 05:52, csa321 wrote: We've generated our own CA for self-signing certificates. The issue is that we package up the openssl install for installation on multiple servers. Therefore, the root CA we create is part of the package as well. the private key of the root CA should only

Increment certificate serial numbers randomly

icate-serial-numbers-randomly-tp49712.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listop