Can create a cert with no serial number?

Mark Hack markhack at markhack.com
Wed May 31 14:19:35 UTC 2023


Robert

If your aim is to have very compact certifcates, look at using elliptic
curves and ECDSA instead of RSA certs. You could use P224 curves but I
do suggest that you use P256 instead which do not cost a lot more in
space and give you 128bit equivalent strength.


Regards
Mark Hack

On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote:
> RFC5280 which specifies X.509 certificates states that the serial
> number is a MUST field and it must be unique. By limiting it to one
> byte the number of certificates should be limited to 256.
> 
> As I can't see any significant advantage I would not risk
> compatibility problems and just leave it as it is. A cert without
> serial number could be at risk of beeing treated as invalid.
> 
> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <
> rgm at htt-consult.com>:
> > I tried putting in my conf:
> > 
> > serial = none
> > 
> > and that made an error.
> > 
> > Best I have done is a serial of length 1 byte.  But in my work, the
> > subject or SAN provide uniqueness and CRLs will not be used.  So
> > want to see if I can create a cert with NO serial number.
> > 
> > Thanks
> > 
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230531/ce98e963/attachment.htm>


More information about the openssl-users mailing list