Opened 5 years ago
Closed 2 years ago
#1217 closed User question (notabug)
--crl-verify crl 'dir' : 'dir' option and randomized certificate serial numbers
Reported by: | tct | Owned by: | tct |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Certificates | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger, plaisthos, David Sommerseth |
Description
Easyrsa3 now generates certificates with randomized serial numbers.
This option can be changed back to sequential serial numbers, starting from 1, by defining EASYRSA_RAND_SN="no"
when using EasyRSA3.
However, with cert serial numbers like 59:d6:72:51:1e:c8:c5:8c:2e:57:bb:4e:f8:81:47:35
and no decimal equivalent in the cert file, converting hex to decimal is a PITA.
--crl-verify crl dir
still works but the decimal value for the hex serial above is 119414761774287214097427946775808919349
if you can find a way to convert it.
My question is: Can the way openvpn uses the the file name as serial number, when using the dir
option to --crl-verify
, be improved ?
Change History (4)
comment:1 Changed 4 years ago by
Cc: | Steffan Karger plaisthos David Sommerseth added |
---|
comment:2 Changed 4 years ago by
To be honest, I don't think this is worth investing time in. I would personally rather deprecate and remove the dir
variant for revocation.
Something similar can easily be implement using a --crl-verify
script if a user really wants something like this, where the user is free to select the identifier how (s)he wants. CN, hex fingerprint, hex serial, decimal serial, etc.
comment:3 Changed 2 years ago by
Owner: | set to tct |
---|---|
Status: | new → accepted |
no idea, but copying in people that understand CRL and crypto libraries...