Can create a cert with no serial number?
rgm at htt-consult.com
Thu Jun 1 01:21:07 UTC 2023
Neat! How do I force this? My current method
openssl rand -hex 1 > $dir/serial
and .cnf has
[ CA_default ]
serial = $dir/serial
When trying to squeeze as much as possible into a 255gm bag... :)
On 5/31/23 14:38, Corey Bonnell wrote:
> Making the serial number a value less than 128 will save another byte, as the
> leading 0x00 byte in the serialNumber INTEGER (to force a positive) will no
> longer be needed.
> -----Original Message-----
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Robert
> Sent: Wednesday, May 31, 2023 2:19 PM
> To: Richard Levitte <richard at levitte.org>
> Cc: openssl-users at openssl.org; Frank-Ulrich Sommer <fus at f-us.de>
> Subject: Re: Can create a cert with no serial number?
> Well, I got the DER down to 240 bytes by dropping all the constraints.
> Probably could cut more if I put the DET (a specific IPv6 address) somehow
> into subject rather than SAN flagged critical. For your review, this is what
> I have come up with. This will replace what I currently have in
> Use of this cert will rely on the DNS structure we will be creating for DRIP.
> For example to find the issuing cert, the CN below maps to a specific FQDN
> that any DRIP compliant implementation will know to find. And if this cert is
> not found in the matching ip6.arpa. fqdn it has been revoked. This cert is 2x
> the size of the DRIP specific RATS-styled Endorsement. Implementers will be
> able to choose their poison.
> Version: 3 (0x2)
> Serial Number: 160 (0xa0)
> Signature Algorithm: ED25519
> Issuer: CN = 2001003ffe3ff805S
> Not Before: May 21 00:00:00 2023 GMT
> Not After : May 24 00:00:00 2023 GMT
> Subject Public Key Info:
> Public Key Algorithm: ED25519
> ED25519 Public-Key:
> X509v3 extensions:
> X509v3 Subject Alternative Name: critical
> IP Address:2001:3F:FE3F:F805:A93E:53B7:2709:E0BA
> Signature Algorithm: ED25519
> Signature Value:
> On 5/31/23 13:36, Richard Levitte wrote:
>> The serial number is a defined field in the certificate structure.
>> It's not optional, so you can't get away from it.
>> In ASN.1 terms, it's an INTEGER. In DER terms, the smallest possible
>> INTEGER occupies 3 bytes (one for the tag, which is 02, one for the
>> length 01, and one value byte in the decimal range -128..127 (80..7F)).
>> Without the serial number (just like without any other non-optional
>> field), whatever you happen to produce will not be a recognisable
>> X.509 certificate.
>> That's it.
>> On Wed, 31 May 2023 15:55:00 +0200,
>> Robert Moskowitz wrote:
>>> OK. I am looking at absolute certificate DER size and able to
>>> squeeze them into very small packets. The content should not be used
>>> in the apps, but if the libraries blow up without it, that would not be
>>> On 5/31/23 09:50, Frank-Ulrich Sommer wrote:
>>> RFC5280 which specifies X.509 certificates states that the serial
>>> number is a MUST field and
>>> it must be unique. By limiting it to one byte the number of
>>> certificates should be limited to
>>> As I can't see any significant advantage I would not risk
>>> compatibility problems and just
>>> leave it as it is. A cert without serial number could be at risk of
>>> beeing treated as invalid.
>>> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz
>>> <rgm at htt-consult.com>:
>>> I tried putting in my conf:
>>> serial = none
>>> and that made an error.
>>> Best I have done is a serial of length 1 byte. But in my work,
>>> the subject or SAN provide uniqueness and CRLs will not be used. So want
>>> to see if I can create a cert with NO serial number.
More information about the openssl-users