Can create a cert with no serial number?

Robert Moskowitz rgm at htt-consult.com
Wed May 31 16:38:42 UTC 2023


Mark,

Thanks, but I am using EdDSA25519 already.

On 5/31/23 10:19, Mark Hack wrote:
> Robert
>
> If your aim is to have very compact certifcates, look at using 
> elliptic curves and ECDSA instead of RSA certs. You could use P224 
> curves but I do suggest that you use P256 instead which do not cost a 
> lot more in space and give you 128bit equivalent strength.
>
>
> Regards
> Mark Hack
>
> On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote:
>> RFC5280 which specifies X.509 certificates states that the serial 
>> number is a MUST field and it must be unique. By limiting it to one 
>> byte the number of certificates should be limited to 256.
>>
>> As I can't see any significant advantage I would not risk 
>> compatibility problems and just leave it as it is. A cert without 
>> serial number could be at risk of beeing treated as invalid.
>>
>> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz 
>> <rgm at htt-consult.com>:
>>> I tried putting in my conf:
>>>
>>> serial = none
>>>
>>> and that made an error.
>>>
>>> Best I have done is a serial of length 1 byte.  But in my work, the 
>>> subject or SAN provide uniqueness and CRLs will not be used.  So 
>>> want to see if I can create a cert with NO serial number.
>>>
>>> Thanks
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230531/442b782a/attachment-0001.htm>


More information about the openssl-users mailing list