rfc5280 serialNumber question

Robert Moskowitz rgm at htt-consult.com
Fri Jul 21 12:58:41 UTC 2023

Per sec

    Given the uniqueness requirements above, serial numbers can be
    expected to contain long integers.  Certificate users MUST be able to
    handle serialNumber values up to 20 octets.  Conforming CAs MUST NOT
    use serialNumber values longer than 20 octets.

At some point some years ago it was pointed out here that serialNumber 
OID encoding preappends 0x00 if the first bit is a 1.

Does this actually make the serialNumber a byte longer?  Or is this only 
encoding?  Thus IF that first bit is a 1, obviously the OID value is a 
byte longer.  But when the serialNumber OID is decoded is this longer 
value returned or the original value?

I am girding up to debate an implementation where the CP says 
serialNumber MUST be unique, and their implementation uses a 20-byte 
SN.  I don't think they take care at all about the value of the 1st 
byte.  I doubt in their testing to date they have generated a SN in that 

So how does the SN with the added byte get decoded?


More information about the openssl-users mailing list