an 16, 2018 at 1:26 AM, Wouter Verhelst
wrote:
> On 14/01/2018 12:07, pratyush parimal wrote:
>> Hi everyone,
>>
>> I read from several sources that the serial number of a cert MUST be
>> unique within a CA. But could someone explain what would happen if the
>>
On 14/01/2018 12:07, pratyush parimal wrote:
> Hi everyone,
>
> I read from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?
The certificate itself will contin
The combination of (issuer,serial#) is the only way to get a unique identifier
for a certificate. Lots of software depends on certs being uniquely
identifiable. What happens if that assertion is not true? Some things will
break. What? Well, it depends on the software, and which certs are
“
On 01/14/2018 12:07 PM, pratyush parimal wrote:
> I read from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?
Certificate Revocation Lists (CRLs) identify invalid certif
Hi everyone,
I read from several sources that the serial number of a cert MUST be
unique within a CA. But could someone explain what would happen if the
serial number was not unique?
Would it cause SSL connections to fail in some manner? I think I'm a little
unclear about the "purpo
* When I see SSL certificates, their serial number is like this :
0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
Serial numbers are displayed as hex values, so my guess is you just typed that
“as an example” since Q X Z aren’t valid hex characters. Or perhaps it was an
extension (like device serial) that
FOURES TOM wrote:
> When I see SSL certificates, their serial number is like this :
> 0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
That's an unusual Serial Number, which even if you made this up, is just an
integer.
IDevID/802.1AR certificates will have a subjectAltName that is somet
4Q? 8X? 1Z?
Those are not octets that can show up in serial numbers.
-Kyle H
On Fri, Dec 1, 2017 at 2:21 PM, FOURES TOM wrote:
> Hello,
>
> When I see SSL certificates, their serial number is like this :
> 0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
>
> So, how could I set my serial fil
Hello,
When I see SSL certificates, their serial number is like this :
0A:8D:9A:4Q:8X:1A:0B:88:18:1Z
So, how could I set my serial file (with serial.old) for to obtain User
Certificates with this serial using my openssl.cnf file?
Thank you for your help!
Have a nice day.
Aris
--
openssl
On 21/08/2017 16:22, Robert Moskowitz wrote:
On 08/21/2017 10:03 AM, Salz, Rich wrote:
If the root is going to be trusted, make its serial number be one. ☺
Otherwise use eight bytes of random as the serial number, if you
follow CABF guidelines.
Kind of where my thinking is going. But once
block ciphers such as Simon, Speck, or find some tweakable
lightweight block cipher, maybe from the ECRYPT portfolio (it’s down at this
moment).
Again, the 64bits coming from a CSPRNG is for public CAs only, and the
uniqueness of a serial number is a dirty hack to be able to use a non
collision
On 08/21/2017 10:03 AM, Salz, Rich wrote:
If the root is going to be trusted, make its serial number be one. ☺
Otherwise use eight bytes of random as the serial number, if you follow CABF
guidelines.
Kind of where my thinking is going. But once I make it '1', it might as
well
If the root is going to be trusted, make its serial number be one. ☺
Otherwise use eight bytes of random as the serial number, if you follow CABF
guidelines.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 08/21/2017 09:36 AM, Salz, Rich wrote:
➢ Thus how large does this random number have
It’s also to protect against predicting serial numbers and being able to
leverage that. It’s not just (nor really mainly) the MD5 digest attacks.
According to CABForum, you need 8 octets. No reason not
➢ Thus how large does this random number have
It’s also to protect against predicting serial numbers and being able to
leverage that. It’s not just (nor really mainly) the MD5 digest attacks.
According to CABForum, you need 8 octets. No reason not to use more if you can.
➢ page was talking
On 08/21/2017 09:20 AM, Salz, Rich via openssl-users wrote:
But in doing this, I can't figure out if there is a risk on serial
number size for a root CA cert as there is for any other cert.
I don’t understand what attack you are concerned about, but the size of the
serial n
But in doing this, I can't figure out if there is a risk on serial
number size for a root CA cert as there is for any other cert.
I don’t understand what attack you are concerned about, but the size of the
serial number should not matter for *any* certificate.
--
openssl-
I have worked out that:
openssl req -config openssl-root.cnf -set_serial 0x$(openssl rand -hex
19) -key private/ca.key.pem\
-subj "$DN"\
-new -x509 -days 7300 -sha256 -extensions v3_ca -out
certs/ca.cert.pem
allows you to override the serial number select proces
On 08/20/2017 09:50 AM, Salz, Rich via openssl-users wrote:
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
On 08/20/2017 09:32 AM, Viktor Dukhovni wrote:
On Aug 20, 2017, at 8:35 AM, Robert Moskowitz wrote:
It is 64 - 160 BITS
Correct, with the word "cryptographically random" somewhere in
there, for at least 64 of the bits.
Which is 8 - 20 OCTETS
Correct, since an "octet" is 8 bits.
or 4 - 1
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
bits.
--
openssl-users mailing list
To unsubscribe: https://
> On Aug 20, 2017, at 8:35 AM, Robert Moskowitz wrote:
>
> It is 64 - 160 BITS
Correct, with the word "cryptographically random" somewhere in
there, for at least 64 of the bits.
> Which is 8 - 20 OCTETS
Correct, since an "octet" is 8 bits.
> or 4 - 10 BYTES
No, a "byte" nowdays is the same
you are doing this for you IoT run of 10 million per year, using an 8
BYTE serial number.
And since we are using SHA256 with ECDSA, the known attacks are just not
real. Yet.
So in my highly biased opinion
If you have the memory and bandwidth, go ahead with 8 bytes for serial.
In
Le 28/04/2013 20:26, redpath a écrit :
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
A 64bits random number.
openssl req -x509 etcetera
The default serial number is quite
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
openssl req -x509 etcetera
The default serial number is quite long so just using time_t (long) to set
the serial number is not very
_
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
&
> From: owner-openssl-us...@openssl.org On Behalf Of praveenpvs
> Sent: Tuesday, 21 February, 2012 10:24
> When I extracted the public key and saved to file, the Public
> key file looks like [---END--- line incomplete]
> I am not able to figure out what is problem.
> Any suggestions/thoughts??
>
= X509_get_serialNumber(x509);
printf("\nThe length of the serial number is %d \n",ptr->length);
while(iIndex < (int)ptr->length )
{
sprintf(gszSerialNumber+iIndex*2, "%0.2X",ptr->data[iIndex++]);
ExtractSerialNumber\n");
ptr = X509_get_serialNumber(x509);
printf("\nThe length of the serial number is %d \n",ptr->length);
while(iIndex < (int)ptr->length )
{
sprintf(gszSerialNumber+iIndex*2, "%0.2X",ptr->d
On Mon, Feb 20, 2012, Dave Thompson wrote:
> > From: owner-openssl-us...@openssl.org On Behalf Of praveenpvs
> > Sent: Sunday, 19 February, 2012 23:15
>
> > I am new to OPENSSL. I have a certificate, i need to extract
> > public key and
> > serial number from
> From: owner-openssl-us...@openssl.org On Behalf Of praveenpvs
> Sent: Sunday, 19 February, 2012 23:15
> I am new to OPENSSL. I have a certificate, i need to extract
> public key and
> serial number from it. I know the command to do that, but i
> wanted to use
> api in my
Hi,
I am new to OPENSSL. I have a certificate, i need to extract public key and
serial number from it. I know the command to do that, but i wanted to use
api in my application.
Command to get the public key from the certificate:
openssl x509 -inform pem -in -pubkey -noout >
Command to
On 01/07/2012 02:01 AM, Ken Adler wrote:
I use echo GET | openssl s_client -connect www.google.com:443 -state to
troubleshoot https handshakes.
Is there a way to get it to return the Serial number (or thumbprint) of the
server certificate?
openssl s_client -connect www.google.com:443 2>
I use echo GET | openssl s_client -connect www.google.com:443 -state to
troubleshoot https handshakes.
Is there a way to get it to return the Serial number (or thumbprint) of the
server certificate?
Currently, I have to cut and past the returned Base64-encoded certificate into
another file
On Wed, Dec 21, 2011, chetanrun wrote:
>
> How to read certificate details ( serial number, issuer , subject details)
> from x509 certificate using Openssl.
>
> I parsed P12 file using PKCS12_parse(), then retrieved serial number in
> ASN1_INTEGER format from objtained x509 ce
How to read certificate details ( serial number, issuer , subject details)
from x509 certificate using Openssl.
I parsed P12 file using PKCS12_parse(), then retrieved serial number in
ASN1_INTEGER format from objtained x509 certificate. But how do I parse it
so that it can be read.
--
View
31 at 0 depth lookup:authority and issuer serial number mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN
31 at 0 depth lookup:authority and issuer serial number mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN = config, CN = DSA Manager
error 29 at 0 depth lookup:subject issuer mismatch
CN
.
- Original Message -
> Hello,
> I 'd like to retrieve serial number from X509 certificate, then store
> this sn in a memory pointed by char* sn ( in PEM or DER format). I did
> not find any function...
> Is there any combination of some functions to obtain it ?
&g
Hello,
I 'd like to retrieve serial number from X509 certificate, then store this
sn in a memory pointed by char* sn ( in PEM or DER format). I did not find
any function...
Is there any combination of some functions to obtain it ?
Thanks for your help.
> From: owner-openssl-us...@openssl.org On Behalf Of bhaarat pachori
> Sent: Saturday, 13 November, 2010 08:23
> Actually I am trying to get the Serial number of the der encoded
certificate
>
> AOL_Member_CA.der. For the better understanding I am at
Hi All
I have some query regarding the serial number of the certificate.
Actually I am trying to get the Serial number of the der encoded certificate
AOL_Member_CA.der. For the better understanding I am attaching my code
I would be very very thankful if anyone could help me out.
Regards
question:
> - Besides manually documenting a cross-reference for each
certificate
> that I sign to a serial number, is there any way to have this scripted
> and for an appending log to the serial.srl file that's updated each time
> it's used? In
ly documenting a cross-reference for each certificate that
> I sign to a serial number, is there any way to have this scripted and for an
> appending log to the serial.srl file that's updated each time it's used? In
> short, a list of cert name (=CN perhaps) and serial number ass
ndy GOKTAS wrote:
> So using the "-CAserial serial.srl" might be a good idea to avoid this.
>
> Now this leads me to the next question:
> - Besides manually documenting a cross-reference for each certificate that I
> sign to a serial number, is there any w
So using the "-CAserial serial.srl" might be a good idea to avoid this.
Now this leads me to the next question:
- Besides manually documenting a cross-reference for each certificate that I
sign to a serial number, is there any way to have this scripted and for an
appending
Great! Thanks for that information Patrick. :)
Thanks,
Andy Goktas
>>> Patrick Patterson 9/17/2010 6:11 AM >>>
Hi Andy:
Well, aside from violating most of the standards around PKI, the main problem
you will have is revocation - the way you revoke a certificate is to put i
The serial number has to be unique for the issuer (CA).
You can have multiple certificates with the same SubjectName, but the
SerialNumber field has to be unique unless you're using a different
issuer.
Chris
On Sun, Sep 19, 2010 at 10:53 PM, wrote:
> If you generate multiple certs
If you generate multiple certs with the same serial number, Firefox (and anything built
with NSS) will absolutely refuse to have anything to do with those sites. There's no
"click 3 times to get access", it's a simple refusal to talk with a
non-standards-compliant serve
Hi Andy:
Well, aside from violating most of the standards around PKI, the main problem
you will have is revocation - the way you revoke a certificate is to put it's
serial number on a CRL. So if you have multiple certs with the same serial
number, if you ever need to revoke one of
Hello,
Just curious if anyone knows, but what happens if I generate multiple server
certs (using my self generated signing CA using openssl) that have the same
assigned serial number?
Does this create a conflict within the network and if users's end up accessing
both certs, kabm?
Hi everyone,
I created a version 2 CRL, which has the CRL Serial extension set and
now I have to extract the serial number from the CRL to compare it.
I already got as far as extracting the CRL extension by NID. But now
extracting the actual value from the extension is unclear to me. The
smime.p7m
Description: S/MIME encrypted message
for ca.txt file.
Is it normal behavior of openssl to be able to view a certificate without
serial number using (without any error mentioned):
openssl x509 -in some_cert_without_sn.pem -text
But to be unable to verify it using:
openssl verify -CAfile some_cert_without_sn.pem
nils
>Frédéric Donnat wrote:
>
> Hi,
>
> Sorry for the mistake (nothing to deal with openssl.cnf file). I was just
> looking for ca.txt file.
>
> Is it normal behavior of openssl to be able to view a certificate without
> serial number using (without any er
sorry please ignore; this had been asked before:
http://www.mail-archive.com/openssl-users@openssl.org/msg41502.html
> From: [EMAIL PROTECTED]
> To: openssl-users@openssl.org
> Subject: signature failure when certificate contains no serial number (ie,
> not one that equals zero)?
i was messing around with (self-signed) certificate creation/signing
and ran into this. the following two certificates are the same except
for the serial number: "with_serial" has a serial number that is zero,
and "no_serial" does not have any serial number.
the "
Jeremie Le Hen wrote:
% char *tls_serial_number(X509 *peer)
% {
% ASN1_INTEGER *sn;
% BIGNUM bn;
% char *bnstr, *snstr;
% size_t len;
%
% if ((sn = X509_get_serialNumber(peer)) == 0)
% return (0);
% ASN1_INTEGER_to_BN(sn, &bn);
(ASN1_INTEGER *) 0xbfbfe280
% (gdb) print *sn
% $1 = {length = 134834432, type = 134948360,
% data = 0x2 , flags = 300}
What's wrong with my code? The certificate used by the TLS client is
not special in any way:
% Certificate:
% Data:
% Version: 3 (0x2)
% Serial Number:
%
Hello,
> how do i convert ASN1_INTEGER to either an int or long.
WARNING: asn1 integers may be bigger than int or long!
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http
Hi,how do i convert ASN1_INTEGER to either an int or long.thanks !
_
See what you’re getting into…before you go there.
http://newlivehotmail.com
Olaf Gellert wrote:
Hi Joe,
Joe Gluck wrote:
Does anyone know how can I revoke a certificate, even if I don't have
the certificate file anymore, (using openssl) can I just update the
index.txt line associated with this certificate, change the V to R and
add the revocation date? If this should w
e that the serial number of the revoked
certificate is listed in the CRL.
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view o
Does anyone know how can I revoke a certificate, even if I don't have the certificate file anymore, (using openssl) can I just update the
index.txt line associated with this certificate, change the V to R and add the revocation date? If this should work does anyone have already a script that does
Bonjour,
Hodie pr. Kal. Mar. MMVI est, Mark H. Wood scripsit:
> I think that part of the difficulty here is the words used. Our
> experience in other areas is overwhelmingly in favor of "serial number"
> being a sample from a counter that starts at 0 or 1 and is incremente
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think that part of the difficulty here is the words used. Our
experience in other areas is overwhelmingly in favor of "serial number"
being a sample from a counter that starts at 0 or 1 and is incremented by
1 every time it's consul
On Sun, Feb 26, 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 26, 2006, Erwann ABALEA wrote:
>
> > The CA has the possibility to change the name of the issued
> > certificate, by adding a random element (a kind of serial number), but
> > this isn't usually well p
llidingCertificates/
>
Just to add that that version of the attack can only generate colliding
certificates which are identical other than the public keys.
> The CA has the possibility to change the name of the issued
> certificate, by adding a random element (a kind of serial number), but
d by a
large proportion of the installed software base, CAs are "forced" to
use SHA1...
See also: http://www.win.tue.nl/~bdeweger/CollidingCertificates/
The CA has the possibility to change the name of the issued
certificate, by adding a random element (a kind of serial number), but
this isn&
On So, 26 Feb 2006, Dr. Stephen Henson wrote:
[example snipped]
> The fairly large random value for serial numbers is designed to avoid that
> situation but still allow the more knowledgeable user to override that.
>
> If you are sure the issuer name and serial number will be uni
Bonjour,
Hodie IV Kal. Mar. MMVI est, Kyle Hamilton scripsit:
[...]
> Can you give me a pointer to the several standards that reflect and
> enforce the issuer name + serial number uniqueness? A more
The X.509 says it all.
>From this standard, a CA is a name (not a key, really a na
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> As I have hopefully understood setting the serial number of a CA to a
> distinct number like 1 is good practice. From a technical point of view any
> number should as good as another as long as they are unique (as you mentioned
> in yo
On Sun, Feb 26, 2006, Kyle Hamilton wrote:
> On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
>
> >
> > It is the combination of issuer name + serial number which must be unique in
> > general: that's enforced by several standards.
> >
> >
gt;
> > > Issuing certificates with duplicate issuer and serial numbers is illegal
> > > and
> > > can cause strange problems which are difficult to diagnose.
> >
> > let's see... you're talking about the authorityKeyIdentifier? I
> > thought tha
> let's see... you're talking about the authorityKeyIdentifier? I
> thought that that went up 2 steps up the tree and then gave a serial
> number of cert issued by that CA.
No, it identifies the key that is signing the actual cert (or CRL). A CA's
subject key identifier
ted that zero was considered an invalid serial number.
>
> "serialNumber: A unique positive integer." At least I think.
>
The type of serialNumber that should be accepted doesn't place any limits on
the sign.
RFC3280 places restrictions on what a CA should generate. I
ng wrong? Or is the man-page wrong?
> >
>
> The manual page needs updating. It now uses a random serial number unless a
> serial number is given explicitly. This was to reduce the chance of duplicate
> issuer names and serial numbers.
Ah yes; I scrutinized through the code and sa
On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> It was introduced as a bug fix to stop OpenSSL producing invalid certificates
> under certain circumstances.
>
> A clarification indicated that zero was considered an invalid serial number.
"serialNumber: A unique
producing invalid certificates
under certain circumstances.
A clarification indicated that zero was considered an invalid serial number.
Issuing certificates with duplicate issuer and serial numbers is illegal and
can cause strange problems which are difficult to diagnose.
If you want to keep the
>
> > Even if I create an explicit serial-file it won't be used for the 'req'
> > command (tested with strace).
> >
> > Any ideas what I'm doing wrong? Or is the man-page wrong?
> >
>
> The manual page needs updating. It now uses a rando
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> Even if I create an explicit serial-file it won't be used for the 'req'
> command (tested with strace).
>
> Any ideas what I'm doing wrong? Or is the man-page wrong?
>
The manual page needs updating. It no
t. This is typically used to generate a
test certificate or a self signed root CA. The extensions
added to the certificate (if any) are specified in the
configuration file. Unless specified using the
set_serial option 0 will be used for the serial
number.
So
Hi, I have the following code
char serial[300];
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
n = BIO_read(bio, serial, min(BIO_pending(bio), 299));
n = max(n, 0);
serial[n] = 0;
BIO_flush(bio);
And I get the following result inside serial
3030303031303030303030303030303030313134
So
also ok)
This is a problem with the serial number (ASN1) when NOT setting it in the X509
struct and saving in a file and reloading it from the file for a verification.
My certificate is a bad one because i did not set the serial number.
The question is: should the serial number be set to a
Frédéric Donnat wrote:
Hi,
Sorry for the mistake (nothing to deal with openssl.cnf file). I was just
looking for ca.txt file.
Is it normal behavior of openssl to be able to view a certificate without
serial number using (without any error mentioned):
openssl x509 -in some_cert_without_sn.pem
Hi,
Sorry for the mistake (nothing to deal with openssl.cnf file). I was just
looking for ca.txt file.
Is it normal behavior of openssl to be able to view a certificate without
serial number using (without any error mentioned):
openssl x509 -in some_cert_without_sn.pem -text
But to be unable
[EMAIL PROTECTED] writes:
as far as I read the text from the RFC, they are talkin about non-negative
numbers. So the range is from 0 to 2^(159)-1 because the one bit missing
indicates a negative number.
True. That doesn't change my point, though :-).
Cheers,
Richard
-
Please conside
to:[EMAIL PROTECTED] Auftrag von Richard Levitte
> Gesendet: Montag, 18. Juli 2005 15:42
> An: openssl-users@openssl.org
> Cc: Jorey Bump
> Betreff: Re: Max length of serial number
>
>
> Jorey Bump writes:
>
> > And RFC 3280 has this to say:
> >
> > 4.
Jorey Bump writes:
And RFC 3280 has this to say:
4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
Jorey Bump wrote:
There is one caveat: the number of characters must be even:
unable to load number from /etc/ssl/CA/serial
error while loading serial number
3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number
of chars:f_int.c:162:
Therefore, I needed to modify my command
Todd Wease wrote:
On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote:
What is the maximum length (if string) or size (if number) of a serial
number?
I am using the current datetime to set the initial serial number for my
CA to provide a reasonable measure of uniqueness:
# example
On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote:
> What is the maximum length (if string) or size (if number) of a serial
> number?
>
> I am using the current datetime to set the initial serial number for my
> CA to provide a reasonable measure of uniqueness:
&
What is the maximum length (if string) or size (if number) of a serial
number?
I am using the current datetime to set the initial serial number for my
CA to provide a reasonable measure of uniqueness:
# example: 200507171152001
SERIALINIT=$(date +%Y%m%d%H%M)001
echo $SERIALINIT > ser
In message <[EMAIL PROTECTED]> on Wed, 6 Jul 2005 09:07:23 -0700, "Choudhary,
Bimalendu" <[EMAIL PROTECTED]> said:
bchoudhary> 2) When I send the serial number 0x81 the der encoded
bchoudhary>serial number is
bchoudhary>
bchoudhary> 02 02 00 81
bchoudhar
) When I send the serial number -serial 0x8 the der encoded serial
number is
02 01 08
2) When I send the serial number 0x81 the der encoded serial number is
02 02 00 81
3) When I send the serial number 0x811 the der encoded serial number is
02 02 08 11
4) When I send the serial number 0x8111 the
On Monday May 23rd 2005 Angel Martinez Gonzalez wrote:
> I want to get the serial number from a certificate.
>
> ...
>
> FILE *fp;
> X509 *cert;
> int serialNumber;
> ASN1_INTEGER *bs;
>
> if (!(fp = fopen(CERTIFICADO_TTP, "r")))
> printf (&quo
Hello:
I want to get the serial number from a certificate.
I use this function: X509_get_serialNumber().
This function returns a ASN1_INTEGER struct, with the field length, type,
data and flag. I suppose that the serial number is stored in the data field
of the struct. But I can´t get it.
My
Hello all,
In 0.9.7d the serial number file is created as follows
1. Create a certificate request
> Yes, you are right, it could be difficult to garantee that the random
> serial number will be unique.
As an aside, I'm not sure this is such a major hurdle. The CA
should be able to look up certs by serial number anyway, and if
it can do that efficiently (e.g., you have a
Hi Richard,
Yes, you are right, it could be difficult to garantee that the random
serial number will be unique. Also a digest from timestamp will be
more appropriate.
So suppose I can do something like that with e.g. (Linux)
TIMESTAMP=`date`
SN=`md5sum ${TIMESTAMP}`
My question for you is
1 - 100 of 116 matches
Mail list logo
