rfc5280 serialNumber question
Robert Moskowitz
rgm at htt-consult.com
Fri Jul 21 14:55:24 UTC 2023
The serialNumber of the certificate. Not the serialNumber as part of a DN.
On 7/21/23 09:11, Corey Bonnell wrote:
> Hi Robert,
> Are you referring to the serialNumber field of a certificate, or the
> serialNumber name attribute? The former is encoded as an ASN.1 INTEGER, not an
> OID.
>
> Thanks,
> Corey
>
> -----Original Message-----
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Robert
> Moskowitz
> Sent: Friday, July 21, 2023 8:59 AM
> To: openssl-users at openssl.org
> Subject: rfc5280 serialNumber question
>
> Per sec 4.1.2.2
>
> Given the uniqueness requirements above, serial numbers can be
> expected to contain long integers. Certificate users MUST be able to
> handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
> use serialNumber values longer than 20 octets.
>
>
> At some point some years ago it was pointed out here that serialNumber OID
> encoding preappends 0x00 if the first bit is a 1.
>
> Does this actually make the serialNumber a byte longer? Or is this only
> encoding? Thus IF that first bit is a 1, obviously the OID value is a byte
> longer. But when the serialNumber OID is decoded is this longer value
> returned or the original value?
>
>
> I am girding up to debate an implementation where the CP says serialNumber
> MUST be unique, and their implementation uses a 20-byte SN. I don't think
> they take care at all about the value of the 1st byte. I doubt in their
> testing to date they have generated a SN in that range.
>
> So how does the SN with the added byte get decoded?
>
> thanks
>
>
More information about the openssl-users
mailing list