Can create a cert with no serial number?
Richard Levitte
richard at levitte.org
Wed May 31 17:36:07 UTC 2023
The serial number is a defined field in the certificate structure.
It's not optional, so you can't get away from it.
In ASN.1 terms, it's an INTEGER. In DER terms, the smallest possible
INTEGER occupies 3 bytes (one for the tag, which is 02, one for the
length 01, and one value byte in the decimal range -128..127 (80..7F)).
Without the serial number (just like without any other non-optional
field), whatever you happen to produce will not be a recognisable
X.509 certificate.
That's it.
Cheers,
Richard
On Wed, 31 May 2023 15:55:00 +0200,
Robert Moskowitz wrote:
>
> OK. I am looking at absolute certificate DER size and able to squeeze them into very small
> packets. The content should not be used in the apps, but if the libraries blow up without it,
> that would not be good.
>
> On 5/31/23 09:50, Frank-Ulrich Sommer wrote:
>
> RFC5280 which specifies X.509 certificates states that the serial number is a MUST field and
> it must be unique. By limiting it to one byte the number of certificates should be limited to
> 256.
>
> As I can't see any significant advantage I would not risk compatibility problems and just
> leave it as it is. A cert without serial number could be at risk of beeing treated as invalid.
>
> Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <rgm at htt-consult.com>:
>
> I tried putting in my conf:
>
> serial = none
>
> and that made an error.
>
> Best I have done is a serial of length 1 byte. But in my work, the subject or SAN provide uniqueness and CRLs will not be used. So want to see if I can create a cert with NO serial number.
>
> Thanks
>
More information about the openssl-users
mailing list