How to disable index and serial?
Fredrik Strömberg
I want to sign a certificate without using the index or serial files.
Can someone tell me how to disable them?
Not using -config makes openssl use the compiled default, and using my
own while commenting out "database" and "serial" gives me the error
"variable lookup failed for CA_default::database". If they can´t be
disabled I would like to know if there´s a possibility to lock the
files from openssl. Should that not work I need to implement my own
filelocking.
(For the curious: I don´t need serial because I only identify with CN,
and I don´t need a database because I will never revoke any
certificates.)
Any thoughts?
Kind regards,
Fredrik Strömberg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Eisenacher, Patrick
> -----Original Message-----
> From: Fredrik Strömberg
>
> I want to sign a certificate without using the index or serial files.
> Can someone tell me how to disable them?
you can't. But why would you care about openssl internals? Just generate your certificates and fine.
> Not using -config makes openssl use the compiled default, and using my
> own while commenting out "database" and "serial" gives me the error
> "variable lookup failed for CA_default::database". If they can´t be
> disabled I would like to know if there´s a possibility to lock the
> files from openssl. Should that not work I need to implement my own
> filelocking.
>
> (For the curious: I don´t need serial because I only identify with CN,
> and I don´t need a database because I will never revoke any
> certificates.)
Every certificate needs a serial, so you can't generate a certificate without a serial.
Please also note that the subject name can't be used to identify a specific certificate, lest the subject name's CN RDN. For uniquely identifying a certain certificate you always need one of the couples (issuer, serial), (issuer, subject key identifier) or (issuer, subject - in case the CA's policy forbids the issuance of 2 cetificates for the same subject name).
HTH,
Patrick Eisenacher
Fredrik Strömberg
Hello Patrick,
Thank you for your email. I somehow managed to miss the word
"mandatory" in the manual. I guess there´s nothing else for me to do
than code a file lock. I need to run multiple openssl instances, and
openssl doesn´t lock the serial and index files. That´s why I figured
I´d avoid the problem by not using the serial or index file at all,
and maybe supply a unique serial from the command line.
Kind regards,
Fredrik Strömberg
Dominique Lohez
> Hello,
>
> I want to sign a certificate without using the index or serial files.
> Can someone tell me how to disable them?
>
> own while commenting out "database" and "serial" gives me the error
> "variable lookup failed for CA_default::database". If they can´t be
> disabled I would like to know if there´s a possibility to lock the
> files from openssl. Should that not work I need to implement my own
> filelocking.
>
> (For the curious: I don´t need serial because I only identify with CN,
> and I don´t need a database because I will never revoke any
> certificates.)
>
>
certificate is always required because
you can generate more than one certificate for a given user identified
with a given DN( and not CN)
This arise because you issue a certificate valid from January 1st to
March 31th
the next one valid from April 1st to June 30th etc for example
etc
The only way to distinguish these certificates is the serial number.
I hope this helps
Best regards
Dominique LOHEZ
> Any thoughts?
>
> Kind regards,
> Fredrik Strömberg
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openss...@openssl.org
> Automated List Manager majo...@openssl.org
>
>
>
>
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: Dominiq...@isen.fr
David Schwartz
> (For the curious: I don´t need serial because I only identify with CN,
> and I don´t need a database because I will never revoke any
> certificates.)
The problem is, everybody else identifies by serial. So unless you don't
plan to interoperate with anyone else's software, you also need to
assign each certificate a unique serial number.
DS
Peter Sylvester
> Fredrik Strömberg a écrit :
>> Hello,
>>
>> I want to sign a certificate without using the index or serial files.
>> Can someone tell me how to disable them?
by using the command x509 and not ca for example.
you can use a serial number based on a date
seconds plus processid for example) to guarantee
uniqueness.
As said below: If you create the same serial number
for different certs, the results may be
unpredictable depending at least on whether
a verifier has a cache of certificates.
Some example scripts like this can be in the test
directory of 'curl' obtainable at http://curl.haxx.se
>>
>> Not using -config makes openssl use the compiled default, and using my
>> own while commenting out "database" and "serial" gives me the error
>> "variable lookup failed for CA_default::database". If they can´t be
>> disabled I would like to know if there´s a possibility to lock the
>> files from openssl. Should that not work I need to implement my own
>> filelocking.
>>
>> (For the curious: I don´t need serial because I only identify with CN,
>> and I don´t need a database because I will never revoke any
>> certificates.)
>>
> In my understanding of your problem, the serial number of the certificate is always required because
> you can generate more than one certificate for a given user identified with a given DN( and not CN)
> This arise because you issue a certificate valid from January 1st to March 31th
> the next one valid from April 1st to June 30th etc for example
> etc
> The only way to distinguish these certificates is the serial number.
>
> I hope this helps
> Best regards
>
> Dominique LOHEZ
>> Any thoughts?
>>
>> Kind regards,
>> Fredrik Strömberg
Erwann ABALEA
> by using the command x509 and not ca for example.
> you can use a serial number based on a date
> seconds plus processid for example) to guarantee
> uniqueness.
More on this. A serial number MUST be unique (by X.509 design), and
SHOULD be random (best practices, to avoid attacks with non
collision-resistant hash functions).
In order to be referenced by browser vendors (Opera comes to mind, and
I think Mozilla will require this), the serial number MUST be random
(or at least *appear* random from the outside).
--
Erwann ABALEA <erwann...@keynectis.com>
Mark H. Wood
> In order to be referenced by browser vendors (Opera comes to mind, and
> I think Mozilla will require this), the serial number MUST be random
> (or at least *appear* random from the outside).
Oh, now I'm curious. How do they test the randomness of a single
sample? "1" is every bit as random (or nonrandom) as
"0xdcb4a459f014617692d112f0942c89cb".
--
Mark H. Wood, Lead System Programmer mw...@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
Mark H. Wood
> Hello Patrick,
>
> Thank you for your email. I somehow managed to miss the word
> "mandatory" in the manual. I guess there´s nothing else for me to do
> than code a file lock. I need to run multiple openssl instances, and
> openssl doesn´t lock the serial and index files. That´s why I figured
> I´d avoid the problem by not using the serial or index file at all,
> and maybe supply a unique serial from the command line.
That sounds like a problem with OpenSSL that should be fixed. Perhaps
you could develop and share a patch that provides locking?
Erwann ABALEA
> On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote:
> > In order to be referenced by browser vendors (Opera comes to mind, and
> > I think Mozilla will require this), the serial number MUST be random
> > (or at least *appear* random from the outside).
>
> Oh, now I'm curious. How do they test the randomness of a single
> sample? "1" is every bit as random (or nonrandom) as
> "0xdcb4a459f014617692d112f0942c89cb".
That's not how it's done. When you apply for your Root CA to be
referenced in a product, you supply your CP and CPS, and audit
results. That's the auditor's job to ask how the serial is generated,
in order to check that you really do what you say you do.
Lying during the audit is of course technically possible, but it will
surely be discovered one day, and you'll lose your business.
David Schwartz
> Oh, now I'm curious. How do they test the randomness of a single
> sample? "1" is every bit as random (or nonrandom) as
> "0xdcb4a459f014617692d112f0942c89cb".
They don't validate the number itself, they validatet hat the method by
which the number was claimed to be generated meets the requirements for
randomness and that the number was in fact generated by the method by
which it was claimed to be generated.
One way is to have an auditor present during an ISO 21188 root key
ceremony. Typically, the auditor examines the videotape of the root key
ceremony, the notarized log book, the signed statements of the signatory
and lawyer witnesses, and if necessary, questions the signatory witnesses.
DS
Fredrik Strömberg
I solved the problem by making a file lock in my customized wrapper,
in Python, with the fcntl module. No C code involved. My skills in C
are not enough to code a patch suited for production use,
unfortunately.
Kind regards,
Fredrik Strömberg