Re: Personal CA: are cert serial numbers critical?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Certificate serial numbers must be unique.  They need not be sequential or increasing.  (Mozilla's NSS will complain and refuse to work if there are duplicate serial numbers.)

I tend not to re-use keys, so I've found that putting 20 bytes (while clearing the high bit) of a digest of the SubjectPublicKeyInfo as the serial number works in that circumstance.  [if you leave the high bit set, then DER mandates that it be encoded with a leading 0x00 byte, which makes it 21 bytes... which can cause problems with things built for PKIX.]

-Kyle H

On Wed, Aug 16, 2017 at 6:24 AM, Tom Browder <tom.browder@xxxxxxxxx> wrote:
Many years ago I started a CA for one group I manage for a private website, and now I want to update members' client certs for the stricter requirements for browsers.

My original cert generation was entirely automated including the following:

+ CN for each is an e-mail address for the member

+ the passphrase for each member's cert is determined from a pre-generated list by me, it will not change

I plan to tidy my automation before the issue of new certs, but I wonder how critical it is to ensure unique certificate serial numbers given that the certs are only used for us.  I'm not even sure I'll ever revoke any cert (they were issued to expire sometime in 2030).

So, in summary, do I need to ensure cert serial numbers are unique for my CA?

With warmest regards,

-Tom

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux