Robert
If your aim is to have very compact certifcates, look at using elliptic curves and ECDSA instead of RSA certs. You could use P224 curves but I do suggest that you use P256 instead which do not cost a lot more in space and give you 128bit equivalent strength.
Regards Mark Hack
On Wed, 2023-05-31 at 15:55 +0200, Frank-Ulrich Sommer wrote: RFC5280 which specifies X.509 certificates states that the serial number is a MUST field and it must be unique. By limiting it to one byte the number of certificates should be limited to 256.
As I can't see any significant advantage I would not risk compatibility problems and just leave it as it is. A cert without serial number could be at risk of beeing treated as invalid.
I tried putting in my conf:
serial = none
and that made an error.
Best I have done is a serial of length 1 byte. But in my work, the subject or SAN provide uniqueness and CRLs will not be used. So want to see if I can create a cert with NO serial number.
Thanks
| 