Can create a cert with no serial number?
Michael Richardson
mcr at sandelman.ca
Thu Jun 1 17:30:54 UTC 2023
Robert Moskowitz <rgm at htt-consult.com> wrote:
> I tried putting in my conf:
> serial = none
> and that made an error.
> Best I have done is a serial of length 1 byte. But in my work, the
> subject or SAN provide uniqueness and CRLs will not be used. So want
> to see if I can create a cert with NO serial number.
I don't think RFC5280 lets you do that.
section 4.1 says:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
so making it one byte is the best you can do.
serialNumber is not an optional field.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230601/4d6ecc33/attachment.sig>
More information about the openssl-users
mailing list