rfc5280 serialNumber question
rgm at htt-consult.com
Fri Jul 21 12:58:41 UTC 2023
Per sec 220.127.116.11
Given the uniqueness requirements above, serial numbers can be
expected to contain long integers. Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets.
At some point some years ago it was pointed out here that serialNumber
OID encoding preappends 0x00 if the first bit is a 1.
Does this actually make the serialNumber a byte longer? Or is this only
encoding? Thus IF that first bit is a 1, obviously the OID value is a
byte longer. But when the serialNumber OID is decoded is this longer
value returned or the original value?
I am girding up to debate an implementation where the CP says
serialNumber MUST be unique, and their implementation uses a 20-byte
SN. I don't think they take care at all about the value of the 1st
byte. I doubt in their testing to date they have generated a SN in that
So how does the SN with the added byte get decoded?
More information about the openssl-users