[openssl-users] SSL Cert serial number non-uniqueness impact

Kyle Hamilton aerowolf at gmail.com
Tue Jan 16 17:16:08 UTC 2018


It's important to note that NSS-based applications (such as Firefox)
will actually categorically refuse to connect to a site with an
Issuer/serial collision with another certificate it has seen before.

So yes, it can cause some applications to fail their SSL connections.

-Kyle H

On Tue, Jan 16, 2018 at 1:26 AM, Wouter Verhelst
<wouter.verhelst at bosa.fgov.be> wrote:
> On 14/01/2018 12:07, pratyush parimal wrote:
>> Hi everyone,
>>
>> I read  from several sources that the serial number of a cert MUST be
>> unique within a CA. But could someone explain what would happen if the
>> serial number was not unique?
>
> The certificate itself will continue to work (the signature will be
> valid), but requesting status on the certificate (e.g., through OCSP or
> by doing a lookup in a CRL) will not work as expected as those use the
> serial number as an identifier.
>
>> Would it cause SSL connections to fail in some manner?
> No, but if the peer wants to request information on the used certificate
> from the CA to verify whether the certificate is still valid, it may end
> up receiving information about the wrong certificate.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list