[openssl-users] Personal CA: are cert serial numbers critical?

Wouter Verhelst wouter.verhelst at fedict.be
Wed Aug 16 13:43:08 UTC 2017

On 16-08-17 15:24, Tom Browder wrote:
> I plan to tidy my automation before the issue of new certs, but I wonder
> how critical it is to ensure unique certificate serial numbers given
> that the certs are only used for us.  I'm not even sure I'll ever revoke
> any cert (they were issued to expire sometime in 2030).

You should revoke certificates when their private keys are compromised;
e.g., when the machine on which they were stored is stolen, lost, or
broken into by a remote attacker based on password guessing, user error,
social engineering, or something of the sorts. You aren't sure that any
of that will happen now, but usually people who are compromised never
expected that. Don't assume that just because they are
password-protected that they are safe; passwords will delay the
attacker, but not stop them.

To accomodate for that, you should generate the CRLs for your
certificates now, even if they're empty, and make sure that the software
you've configured to use your private CA are set up check the CRLs. That
way, when you become aware of a compromised private key of one of the
certificates, you don't need to hurry to reconfigure all those services,
but can simply revoke the certificate and possibly force critical
applications to reread the CRL (e.g., by restarting the service),
thereby turning a possibly full-day panicked "help I was compromised"
into a five-minute "certificate revoked, done" session.

> So, in summary, do I need to ensure cert serial numbers are unique for
> my CA?

Since CRLs expect that your serial numbers are unique, yes, you do need
to ensure that.

Wouter Verhelst

More information about the openssl-users mailing list