Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the significance of set_serial option while generating client certificate?

Tags:

haproxy

What is the significance of set_serial option while generating client certificate.

# client certificate creation
openssl genrsa -out client1.key 1024
openssl genrsa -out client2.key 1024
openssl req -new -key client1.key -out client1.csr
openssl req -new -key client2.key -out client2.csr
openssl x509 -req -days 365 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client1.crt
openssl x509 -req -days 365 -in client2.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client2.crt

I used same serial number 01 for all client certificates. Is there any issue when revoke a specific client certificate ?

like image 980
yalamandala venkateswarlu Avatar asked Mar 08 '17 11:03

yalamandala venkateswarlu

People also ask

What is a certificate serial number?

The serial number is a unique number issued by the certificate issuer, which is also called the Certificate Authority (CA).

What is the importance of the file OpenSSL conf?

The OpenSSL configuration file provides SSL defaults for items such as: The location of your certificate files. Your Distinguished Name. This comprises the details of your site (your Common Name, your locality and so on).

3 Answers

Since summer 2021 it is recommended not to use subsequent serial numbers

So you can use the new -rand_serial option, recently added to openssl.

And if that option is not available, you can use the workaround:

openssl x509 ... -set_serial "0x`openssl rand -hex 8`"
like image 89
Alexander Farber Avatar answered Sep 30 '22 13:09

Alexander Farber

Each certificate is uniquely identified by a serial number and so needed when generating the certificate. When issuing a certificate, CA has to make sure that the serial number is unique and not reused.

When a certificate is revoked/expired, a new certificate is issued, only difference between the old and new certificate will be just the serial number. Since no other data in the certificate can uniquely identify a certificate within a CA, serial number is needed. There can be two certificates for the same site/domain with only difference being the serial number. Serial number uniquely identifies a certificate within the CA.

like image 26
Jay Rajput Avatar answered Sep 30 '22 14:09

Jay Rajput

The serial number becomes part of the certificate and can be used by the certificate authority to ID the signed certificates.

like image 27
Ray Hulha Avatar answered Sep 30 '22 14:09

Ray Hulha
Sign in to Comment

Related questions

How do I get docker cloud (formerly tutum) and haproxy to use SSL?
Advantage of using HAProxy AND Keepalived vs just Keepalived
HAProxy with HTTP2 frontend and HTTP1.1 backend
Openshift haproxy error with 'express' has no server available
JWT Validation in HAProxy
Difference Between TCP Load Balancer and HTTP Load Balancer and when to use what?
Define custom load balancing algorithm
How to redirect to 404 when url is pointing to an existing folder (no trailing slash). HAproxy or mod-rewrite related
Use haproxy as a reverse proxy with an application behind Internet proxy
How can I configure HAProxy to work with server sent events?
How to use thousands of backends in haproxy? Is the new map feature useful for this?
HAProxy health check
HAProxy: Backend with subdirectory / subpath / subfolder?
What's the exact meaning of "session" in haproxy?
HAproxy with multiple https sites
Haproxy solr healthcheck with authentication
Convince Apache of the original client protocol
maxconn limit per backend in haproxy
HAProxy and URL Rewriting Configuration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!