The serial number is a defined field in the certificate structure. It's not optional, so you can't get away from it. In ASN.1 terms, it's an INTEGER. In DER terms, the smallest possible INTEGER occupies 3 bytes (one for the tag, which is 02, one for the length 01, and one value byte in the decimal range -128..127 (80..7F)). Without the serial number (just like without any other non-optional field), whatever you happen to produce will not be a recognisable X.509 certificate. That's it. Cheers, Richard On Wed, 31 May 2023 15:55:00 +0200, Robert Moskowitz wrote: > > OK. I am looking at absolute certificate DER size and able to squeeze them into very small > packets. The content should not be used in the apps, but if the libraries blow up without it, > that would not be good. > > On 5/31/23 09:50, Frank-Ulrich Sommer wrote: > > RFC5280 which specifies X.509 certificates states that the serial number is a MUST field and > it must be unique. By limiting it to one byte the number of certificates should be limited to > 256. > > As I can't see any significant advantage I would not risk compatibility problems and just > leave it as it is. A cert without serial number could be at risk of beeing treated as invalid. > > Am 31. Mai 2023 15:41:02 MESZ schrieb Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>: > > I tried putting in my conf: > > serial = none > > and that made an error. > > Best I have done is a serial of length 1 byte. But in my work, the subject or SAN provide uniqueness and CRLs will not be used. So want to see if I can create a cert with NO serial number. > > Thanks >