diff options
author | Rich Salz <rsalz@openssl.org> | 2017-08-16 15:49:25 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-08-22 09:00:04 -0400 |
commit | ffb46830e2dfd3203044e6190f50a20fec50162d (patch) | |
tree | 744d016ce5d6dea1aa48a36e95024d8333dff969 /doc | |
parent | 932c0df29b7a5a2902c52e2f536b5b83392e2d42 (diff) |
Add random serial# support.
Add -rand_serial to CA command and "serial_rand" config option.
Up RAND_BITS to 159, and comment why: now confirms to CABForum
guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4185)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/ca.pod | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index a985631531..21e692e511 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -51,6 +51,7 @@ B<openssl> B<ca> [B<-subj arg>] [B<-utf8>] [B<-create_serial>] +[B<-rand_serial>] [B<-multivalue-rdn>] [B<-rand file...>] [B<-writerand file>] @@ -262,6 +263,13 @@ configuration file, must be valid UTF8 strings. If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. +To get random serial numbers, use the B<-rand_serial> flag instead; this +should only be used for simple error-recovery. + +=item B<-rand_serial> + +Generate a large random number to use as the serial number. +This overrides any option or configuration to use a serial number file. =item B<-multivalue-rdn> @@ -614,6 +622,7 @@ A sample configuration file with the relevant sections for B<ca>: certificate = $dir/cacert.pem # The CA cert serial = $dir/serial # serial no file + #rand_serial = yes # for random serial#'s private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file |