[openssl-users] Personal CA: are cert serial numbers critical?

Kyle Hamilton aerowolf at gmail.com
Thu Aug 17 02:33:46 UTC 2017

Certificate serial numbers must be unique.  They need not be sequential or
increasing.  (Mozilla's NSS will complain and refuse to work if there are
duplicate serial numbers.)

I tend not to re-use keys, so I've found that putting 20 bytes (while
clearing the high bit) of a digest of the SubjectPublicKeyInfo as the
serial number works in that circumstance.  [if you leave the high bit set,
then DER mandates that it be encoded with a leading 0x00 byte, which makes
it 21 bytes... which can cause problems with things built for PKIX.]

-Kyle H

On Wed, Aug 16, 2017 at 6:24 AM, Tom Browder <tom.browder at gmail.com> wrote:

> Many years ago I started a CA for one group I manage for a private
> website, and now I want to update members' client certs for the stricter
> requirements for browsers.
> My original cert generation was entirely automated including the following:
> + CN for each is an e-mail address for the member
> + the passphrase for each member's cert is determined from a pre-generated
> list by me, it will not change
> I plan to tidy my automation before the issue of new certs, but I wonder
> how critical it is to ensure unique certificate serial numbers given that
> the certs are only used for us.  I'm not even sure I'll ever revoke any
> cert (they were issued to expire sometime in 2030).
> So, in summary, do I need to ensure cert serial numbers are unique for my
> CA?
> With warmest regards,
> -Tom
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170816/2ad04739/attachment.html>

More information about the openssl-users mailing list