Can create a cert with no serial number?
Robert Moskowitz
rgm at htt-consult.com
Wed May 31 16:38:42 UTC 2023
Mark,
Thanks, but I am using EdDSA25519 already.
On 5/31/23 10:19, Mark Hack wrote:
> Robert
>
> If your aim is to have very compact certifcates, look at using
> elliptic curves and ECDSA instead of RSA certs. You could use P224
> curves but I do suggest that you use P256 instead which do not cost a
> lot more in space and give you 128bit equivalent strength.
>
>
> Regards
> Mark Hack
>
> On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote:
>> RFC5280 which specifies X.509 certificates states that the serial
>> number is a MUST field and it must be unique. By limiting it to one
>> byte the number of certificates should be limited to 256.
>>
>> As I can't see any significant advantage I would not risk
>> compatibility problems and just leave it as it is. A cert without
>> serial number could be at risk of beeing treated as invalid.
>>
>> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz
>> <rgm at htt-consult.com>:
>>> I tried putting in my conf:
>>>
>>> serial = none
>>>
>>> and that made an error.
>>>
>>> Best I have done is a serial of length 1 byte. But in my work, the
>>> subject or SAN provide uniqueness and CRLs will not be used. So
>>> want to see if I can create a cert with NO serial number.
>>>
>>> Thanks
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230531/442b782a/attachment-0001.htm>
More information about the openssl-users
mailing list