Sling
March 20, 2019, 9:28am
1
Some background: https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/
My question is, should I be worried about my Let’s Encrypt certificates being revoked? Is LE using EJBCA anywhere in its infrastructure to generate certificates?
Let’s Encrypt runs their own CA software, Boulder.
Serial numbers include 136 bits of random data.
// We want 136 bits of random number, plus an 8-bit instance id prefix.
const randBits = 136
serialBytes := make([]byte, randBits/8+1)
serialBytes[0] = byte(ca.prefix)
_, err := rand.Read(serialBytes[1:])
if err != nil {
err = berrors.InternalServerError("failed to generate serial: %s", err)
ca.log.AuditErrf("Serial randomness failed, err=[%v]", err)
return nil, validity{}, err
}
serialBigInt := big.NewInt(0)
serialBigInt = serialBigInt.SetBytes(serialBytes)
Even if something happened to one or two bits, it wouldn’t be a compliance issue.
As far as I know, they’ve never issued trusted certificates using any other CA software.
3 Likes
system
Closed
April 19, 2019, 9:50am
3
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.