[openssl-users] More on cert serialnumbers

Robert Moskowitz rgm at htt-consult.com
Thu Aug 17 14:40:47 UTC 2017

I have been researching serial number in cert based on Jakob's comment:

"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as 
  numbers and as DER-encoded numbers.  Note that this is not the default in
  the openssl ca program.

- Serial numbers contain cryptographically strong random bits, currently at
  least 64 random bits, though it is best if the entire serial number looks
  random from the outside.  This is not implemented by the openssl ca 

And this is supposedly from the CA/B BF?

Though Erwann responded:

"There’s no such requirement. It MUST be at most 20 octets long"

I see how for all certs other than the root (get to that later), I can 
control this with:

openssl rand -hex 20 > serial

then use 'openssl ca ...'

But from Kyle's comment, the first bit must be ZERO.

"I tend not to re-use keys, so I've found that putting 20 bytes (while 
clearing the high bit) of a digest of the SubjectPublicKeyInfo as the 
serial number works in that circumstance.  [if you leave the high bit 
set, then DER mandates that it be encoded with a leading 0x00 byte, 
which makes it 21 bytes... which can cause problems with things built 
for PKIX.]"

Will that be the case with the above 'openssl rand', or is there some 
other step needed to zero out the first bit.

And is the openssl rand function 'safe' to use?  Is it cryptographically 

As for the root cert created with 'openssl req ... -new -x509', it seems 
that a random 8 octet serial number is provided.  Is there a way to 
boost that to 20 octects?  Does it matter per Erwann's comment above?

Actually, I am trying to keep certs small, and the CAs I picture are not 
for millions of certs  Smaller serial number size would be the preferred 



More information about the openssl-users mailing list