Can create a cert with no serial number?

Frank-Ulrich Sommer fus at plutonium24.de
Wed May 31 13:55:10 UTC 2023


RFC5280 which specifies X.509 certificates states that the serial number is a MUST field and it must be unique. By limiting it to one byte the number of certificates should be limited to 256.

As I can't see any significant advantage I would not risk compatibility problems and just leave it as it is. A cert without serial number could be at risk of beeing treated as invalid.

Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <rgm at htt-consult.com>:
>I tried putting in my conf:
>
>serial = none
>
>and that made an error.
>
>Best I have done is a serial of length 1 byte.  But in my work, the subject or SAN provide uniqueness and CRLs will not be used.  So want to see if I can create a cert with NO serial number.
>
>Thanks
>
>


More information about the openssl-users mailing list