rfc5280 serialNumber question

Corey Bonnell Corey.Bonnell at digicert.com
Fri Jul 21 13:11:58 UTC 2023

Hi Robert,
Are you referring to the serialNumber field of a certificate, or the 
serialNumber name attribute? The former is encoded as an ASN.1 INTEGER, not an 


-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Robert 
Sent: Friday, July 21, 2023 8:59 AM
To: openssl-users at openssl.org
Subject: rfc5280 serialNumber question

Per sec

    Given the uniqueness requirements above, serial numbers can be
    expected to contain long integers.  Certificate users MUST be able to
    handle serialNumber values up to 20 octets.  Conforming CAs MUST NOT
    use serialNumber values longer than 20 octets.

At some point some years ago it was pointed out here that serialNumber OID 
encoding preappends 0x00 if the first bit is a 1.

Does this actually make the serialNumber a byte longer?  Or is this only 
encoding?  Thus IF that first bit is a 1, obviously the OID value is a byte 
longer.  But when the serialNumber OID is decoded is this longer value 
returned or the original value?

I am girding up to debate an implementation where the CP says serialNumber 
MUST be unique, and their implementation uses a 20-byte SN.  I don't think 
they take care at all about the value of the 1st byte.  I doubt in their 
testing to date they have generated a SN in that range.

So how does the SN with the added byte get decoded?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5257 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230721/5a70407f/attachment.p7s>

More information about the openssl-users mailing list