[openssl-users] SSL Cert serial number non-uniqueness impact
Wouter Verhelst
wouter.verhelst at bosa.fgov.be
Tue Jan 16 09:26:25 UTC 2018
On 14/01/2018 12:07, pratyush parimal wrote:
> Hi everyone,
>
> I read from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?
The certificate itself will continue to work (the signature will be
valid), but requesting status on the certificate (e.g., through OCSP or
by doing a lookup in a CRL) will not work as expected as those use the
serial number as an identifier.
> Would it cause SSL connections to fail in some manner?
No, but if the peer wants to request information on the used certificate
from the CA to verify whether the certificate is still valid, it may end
up receiving information about the wrong certificate.
More information about the openssl-users
mailing list