[openssl-users] Personal CA: are cert serial numbers critical?
Kyle Hamilton
aerowolf at gmail.com
Thu Aug 17 02:33:46 UTC 2017
Certificate serial numbers must be unique. They need not be sequential or
increasing. (Mozilla's NSS will complain and refuse to work if there are
duplicate serial numbers.)
I tend not to re-use keys, so I've found that putting 20 bytes (while
clearing the high bit) of a digest of the SubjectPublicKeyInfo as the
serial number works in that circumstance. [if you leave the high bit set,
then DER mandates that it be encoded with a leading 0x00 byte, which makes
it 21 bytes... which can cause problems with things built for PKIX.]
-Kyle H
On Wed, Aug 16, 2017 at 6:24 AM, Tom Browder <tom.browder at gmail.com> wrote:
> Many years ago I started a CA for one group I manage for a private
> website, and now I want to update members' client certs for the stricter
> requirements for browsers.
>
> My original cert generation was entirely automated including the following:
>
> + CN for each is an e-mail address for the member
>
> + the passphrase for each member's cert is determined from a pre-generated
> list by me, it will not change
>
> I plan to tidy my automation before the issue of new certs, but I wonder
> how critical it is to ensure unique certificate serial numbers given that
> the certs are only used for us. I'm not even sure I'll ever revoke any
> cert (they were issued to expire sometime in 2030).
>
> So, in summary, do I need to ensure cert serial numbers are unique for my
> CA?
>
> With warmest regards,
>
> -Tom
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170816/2ad04739/attachment.html>
More information about the openssl-users
mailing list