Opened 3 years ago

Closed 14 months ago

#1217 closed User question (notabug)

--crl-verify crl 'dir' : 'dir' option and randomized certificate serial numbers

Reported by: tct Owned by: tct
Priority: minor Milestone:
Component: Certificates Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, plaisthos, David Sommerseth


Easyrsa3 now generates certificates with randomized serial numbers.
This option can be changed back to sequential serial numbers, starting from 1, by defining EASYRSA_RAND_SN="no" when using EasyRSA3.

However, with cert serial numbers like 59:d6:72:51:1e:c8:c5:8c:2e:57:bb:4e:f8:81:47:35 and no decimal equivalent in the cert file, converting hex to decimal is a PITA.

--crl-verify crl dir still works but the decimal value for the hex serial above is 119414761774287214097427946775808919349 if you can find a way to convert it.

My question is: Can the way openvpn uses the the file name as serial number, when using the dir option to --crl-verify, be improved ?

Change History (4)

comment:1 Changed 3 years ago by Gert Döring

Cc: Steffan Karger plaisthos David Sommerseth added

no idea, but copying in people that understand CRL and crypto libraries...

comment:2 Changed 3 years ago by Steffan Karger

To be honest, I don't think this is worth investing time in. I would personally rather deprecate and remove the dir variant for revocation.

Something similar can easily be implement using a --crl-verify script if a user really wants something like this, where the user is free to select the identifier how (s)he wants. CN, hex fingerprint, hex serial, decimal serial, etc.

comment:3 Changed 14 months ago by tct

Owner: set to tct
Status: newaccepted

comment:4 Changed 14 months ago by tct

Resolution: notabug
Status: acceptedclosed

Answer accepted.

Note: See TracTickets for help on using tickets.