"OpenSSL" Managing Serial Numbers when Signing CSR

Cryptography Tutorials - Herong's Tutorial Examples

∟"OpenSSL" Signing CSR Generated by "keytool"

∟"OpenSSL" Managing Serial Numbers when Signing CSR

This section provides a tutorial example on how to manage serial number when using 'OpenSSL' to sign a CSR (Certificate Signing Request) generated by 'keytool' with CA's private key.

If I use the "openssl x509 -req" command without providing serial number options, "OpenSSL" will give me an error like this:

herong> openssl x509 -req -in maria.csr -CA herong.crt 
-CAkey herong.key -out maria.crt -days 365

Loading 'screen' into random state - done
Signature ok
subject=/C=AT/ST=Maria State/L=Maria City/O=Maria Company
/OU=Maria Unit/CN=Maria Teresa
Getting CA Private Key
Enter pass phrase for herong.key: keypass
herong.srl: No such file or directory
2744:error:02001002:system library:fopen:No such file or directory:
bss_file.c:276:fopen('herong.srl','rb')
2744:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:

"OpenSSL" will try to open a file named "herong.srl". The error message is not clear at all. It does not say that "herong.srl" is the serial number file. There are 3 ways to supply a serial number to the "openssl x509 -req" command:

Create a text file named as "herong.srl" and put a number in the file.
Use the "-set_serial n" option to specify a number each time.
Use the "-CAcreateserial -CAserial herong.seq" option to let "OpenSSL" to create and manage the serial number.