Can create a cert with no serial number?

Robert Moskowitz rgm at htt-consult.com
Wed May 31 13:55:00 UTC 2023


OK.  I am looking at absolute certificate DER size and able to squeeze 
them into very small packets.  The content should not be used in the 
apps, but if the libraries blow up without it, that would not be good.

On 5/31/23 09:50, Frank-Ulrich Sommer wrote:
> RFC5280 which specifies X.509 certificates states that the serial 
> number is a MUST field and it must be unique. By limiting it to one 
> byte the number of certificates should be limited to 256.
>
> As I can't see any significant advantage I would not risk 
> compatibility problems and just leave it as it is. A cert without 
> serial number could be at risk of beeing treated as invalid.
>
>
> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz 
> <rgm at htt-consult.com>:
>
>     I tried putting in my conf: serial = none and that made an error.
>     Best I have done is a serial of length 1 byte.  But in my work,
>     the subject or SAN provide uniqueness and CRLs will not be used. 
>     So want to see if I can create a cert with NO serial number. Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230531/36166fec/attachment.htm>


More information about the openssl-users mailing list