Can create a cert with no serial number?
Mark Hack
markhack at markhack.com
Wed May 31 14:19:35 UTC 2023
Robert
If your aim is to have very compact certifcates, look at using elliptic
curves and ECDSA instead of RSA certs. You could use P224 curves but I
do suggest that you use P256 instead which do not cost a lot more in
space and give you 128bit equivalent strength.
Regards
Mark Hack
On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote:
> RFC5280 which specifies X.509 certificates states that the serial
> number is a MUST field and it must be unique. By limiting it to one
> byte the number of certificates should be limited to 256.
>
> As I can't see any significant advantage I would not risk
> compatibility problems and just leave it as it is. A cert without
> serial number could be at risk of beeing treated as invalid.
>
> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <
> rgm at htt-consult.com>:
> > I tried putting in my conf:
> >
> > serial = none
> >
> > and that made an error.
> >
> > Best I have done is a serial of length 1 byte. But in my work, the
> > subject or SAN provide uniqueness and CRLs will not be used. So
> > want to see if I can create a cert with NO serial number.
> >
> > Thanks
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230531/ce98e963/attachment.htm>
More information about the openssl-users
mailing list