Re: Can create a cert with no serial number?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robert

If your aim is to have very compact certifcates, look at using elliptic curves and ECDSA instead of RSA certs. You could use P224 curves but I do suggest that you use P256 instead which do not cost a lot more in space and give you 128bit equivalent strength.


Regards
Mark Hack

On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote:
RFC5280 which specifies X.509 certificates states that the serial number is a MUST field and it must be unique. By limiting it to one byte the number of certificates should be limited to 256.

As I can't see any significant advantage I would not risk compatibility problems and just leave it as it is. A cert without serial number could be at risk of beeing treated as invalid.

Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>:
I tried putting in my conf:

serial = none

and that made an error.

Best I have done is a serial of length 1 byte.  But in my work, the subject or SAN provide uniqueness and CRLs will not be used.  So want to see if I can create a cert with NO serial number.

Thanks



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux