[openssl-users] SSL Cert serial number non-uniqueness impact
Jochen Bern
Jochen.Bern at binect.de
Sun Jan 14 11:30:55 UTC 2018
On 01/14/2018 12:07 PM, pratyush parimal wrote:
> I read from several sources that the serial number of a cert MUST be
> unique within a CA. But could someone explain what would happen if the
> serial number was not unique?
Certificate Revocation Lists (CRLs) identify invalid certificates by
means of a) the CA keypair that issued it (the pubkey being represented
in the signature) and b) the serial number, *not* pubkey / DN / ..., of
the invalid cert. If that's not unique, revoking one of the affected
certs will have the effect of revoking them all.
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180114/395915d3/attachment.bin>
More information about the openssl-users
mailing list