rfc5280 serialNumber question

Robert Moskowitz rgm at htt-consult.com
Fri Jul 21 14:55:24 UTC 2023

The serialNumber of the certificate.  Not the serialNumber as part of a DN.

On 7/21/23 09:11, Corey Bonnell wrote:
> Hi Robert,
> Are you referring to the serialNumber field of a certificate, or the
> serialNumber name attribute? The former is encoded as an ASN.1 INTEGER, not an
> OID.
> Thanks,
> Corey
> -----Original Message-----
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Robert
> Moskowitz
> Sent: Friday, July 21, 2023 8:59 AM
> To: openssl-users at openssl.org
> Subject: rfc5280 serialNumber question
> Per sec
>      Given the uniqueness requirements above, serial numbers can be
>      expected to contain long integers.  Certificate users MUST be able to
>      handle serialNumber values up to 20 octets.  Conforming CAs MUST NOT
>      use serialNumber values longer than 20 octets.
> At some point some years ago it was pointed out here that serialNumber OID
> encoding preappends 0x00 if the first bit is a 1.
> Does this actually make the serialNumber a byte longer?  Or is this only
> encoding?  Thus IF that first bit is a 1, obviously the OID value is a byte
> longer.  But when the serialNumber OID is decoded is this longer value
> returned or the original value?
> I am girding up to debate an implementation where the CP says serialNumber
> MUST be unique, and their implementation uses a 20-byte SN.  I don't think
> they take care at all about the value of the 1st byte.  I doubt in their
> testing to date they have generated a SN in that range.
> So how does the SN with the added byte get decoded?
> thanks

More information about the openssl-users mailing list