Can create a cert with no serial number?

Michael Richardson mcr at
Thu Jun 1 17:30:54 UTC 2023

Robert Moskowitz <rgm at> wrote:
    > I tried putting in my conf:
    > serial = none
    > and that made an error.

    > Best I have done is a serial of length 1 byte.  But in my work, the
    > subject or SAN provide uniqueness and CRLs will not be used.  So want
    > to see if I can create a cert with NO serial number.

I don't think RFC5280 lets you do that.
section 4.1 says:

   TBSCertificate  ::=  SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        issuer               Name,
        validity             Validity,
        subject              Name,
        subjectPublicKeyInfo SubjectPublicKeyInfo,
        issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,

so making it one byte is the best you can do.
serialNumber is not an optional field.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list